The APT (Advanced Persistent Threat) group was spotted sending out spear-phishing emails that allegedly have detailed information about COVID-19, a.k.a. Coronavirus, but instead, they infect the victims with a custom remote access Trojan (RAT).
The group is using the coronavirus pandemic to infect unsuspecting victims with a previously unseen malware. The malware is dubbed 'Vicious Panda' by researchers, with the attackers using it in a campaign at the moment. Researchers managed to find two Rich Text Format (RTF) files that were targeting the Mongolian public sector during the outbreak. Once the files are open, a unique and custom-made remote access Trojan is executed. It develops a list of directories and data of the infected device, taking screenshots, and overall collecting information.
Check Point researchers mentioned the campaign appeared to be the latest iteration of a long-running, Chinese-based operation. The operations appears to be aimed against various governments and organizations around the world. In this specific case, the COVID-19 pandemic was used to lure victims into triggering the chain of digital infections.
E-Mails using social engineering to fool users
The emails claim to be from the Mongolian Ministry of Foreign Affairs, with alleged information about new coronavirus infections. The attached RTF files in the emails were weaponized. This happened with a version of RoyalRoad, a tool used by various Chinese threat actors. The tool allows the attackers to create custom documents with embedded objects, ones that may exploit vulnerabilities in Equation Editor in Microsoft Word.
Once the victim decides to open the specially created RTF documents, the Microsoft Word vulnerability is exploited, with the malicious file named intel.wll dropped into the MS Word startup folder (%APPDATA%\Microsoft\Word\STARTUP).
That allows the threat to achieve persistence, but it also stops the infection chain from acting if it is run inside a sandbox, as relaunching MS Word is necessary to execute the malware entirely. Intel.dll downloads another DLL file that acts as a loader for the malware, which also communicates with the command-and-control server used by the threat actors.
The threat actor operates the C&C server in limited windows daily, only a few hours, which makes it harder to track and analyze the advanced parts of the infection chain, according to the researchers. During the final stage of the infection chain, a command is received, and the malicious folder downloads and decrypts the RAT module, which is also in the form of a DLL, then loads that into memory. This plugin-type architecture might show there are other modules involved, in addition to the payload.
Similarity with past campaigns may reveal more about the threat actors
When the researchers were looking into the attribution, they compared the current campaign to one that happened in 2017 where the treat actors were using the CMSTAR Trojan, while targeting the government of Belarus. Researchers said they found similar code and infrastructure with the payload of both campaigns. The campaign allowed them to tie the operation with others carried out by the same unnamed group. They date back to as far back as 2016. Over the years, other countries were affected, such as Ukraine and Russia as well as Belarus.
Attackers are continuing with their coronavirus-themed operations. They're using the pandemic's panic to further their goals and to use social engineering and malware in the process.