CREAMSICLE

CREAMSICLE is a threatening malware that has been associated with attacks against government institutions in India. CREAMSICLE is linked to APT30 (Advanced Persistent Threat), a hacking group that seems to be sponsored by the Chinese government and carries out espionage operations. APT30 has gained notoriety because they have developed a wide variety of advanced malware threats which include CREAMSICLE, as well as numerous other malware components. The Chinese government has denied their involvement with APT30 or malware like CREAMSICLE, claiming that these malware attacks are a global problem and they are not exempt.

Why CREAMSICLE Attacks Its Victims Computers

CREAMSICLE attacks have targeted government institutions located in India. Apparently, CREAMSICLE is much less sophisticated than other malware threats developed by APT30 but, nevertheless, its attack has been highly effective. CREAMSICLE, like many malware threats, is delivered through the use of email attachments taking the form of documents with embedded macros that download and install CREAMSICLE onto the victim's computer. CREAMSICLE is a Trojan downloader, a threat designed to infiltrate a computer, nullify its defenses and then install other malware. APT30 use CREAMSICLE in conjunction with another malware threat known as MILKMAID. When the victim opens the corrupted file, its embedded macro scripts download MILKMAID in the background. This is a Trojan dropper, which pretends to be an instance of the Firefox Web browser. This threat extracts the corrupted files associated with CREAMSICLE, installing this threat on the infected computer.

How CREAMSICLE Carries Out Its Attack after It is Installed

After CREAMSICLE has been installed on a computer, it will make changes to the infected computer's settings and establish a connection with its Command and Control server. The attackers responsible for the CREAMSICLE attack will then contact CREAMSICLE manually, initializing to deliver a specific payload, which it will download from its Command and Control server. The downloaded file is not launched right away so that as not to raise suspicion. Instead, CREAMSICLE changes the infected computer's Startup settings to ensure that the downloaded malware starts up when Windows starts up the next time the victim logs into the infected device.

APT30 Attacks and Malware Campaigns Like CREAMSICLE

The main targets of APT30 campaigns involving threats like CREAMSICLE are individual computer users rarely, and CREAMSICLE is not used randomly against the public. Instead, campaigns involving CREAMSICLE are generally part of highly focused malware campaigns designed to infiltrate a specific target. Targets that are chosen by APT30 and possibly the Chinese government are generally associated with the military, government infrastructure, industry or critical infrastructure. These attacks also target journalists and the media. APT30 operations have been reported since 2005, which have grown in sophistication and resources steadily. These attacks have involved a large number of malware threats that include such components as MILKMAID, ORANGEADE Droppers, BACKBEND, GEMCUTTER Downloaders and many others, all of which have been developed and improved in the last ten years steadily. The main targets of APT30 attacks seem to be countries located in Asia, particularly Southeast Asia and the Middle East. The following are some of the countries targeted by these attacks:

India
Malaysia
Vietnam
Thailand
South Korea
Nepal
Bhutan
Philippines
Singapore
Saudi Arabia
Indonesia
Japan
Brunei
Myanmar
Laos
Cambodia

The CREAMSICLE malware seems to have been developed for attacks on Indian infrastructure specifically, although there is nothing preventing APT30 from deploying it on targets in other locations. Regardless of the clear connections between APT30 attacks and Chinese interests, the Chinese government has denied their connection to APT30 or malware attacks involving CREAMSICLE and other threats developed by APT30.