MESSAGEMANIFOLD Malware Description
The MESSAGEMANIFOLD Malware is a newly discovered malware strain observed as part of the arsenal of an as-of-yet unidentified hacker group. The latest campaign that deployed the malware threat was leveraged against the Tibetan community, but earlier this year, in May 2020, MESSAGEMANIFOLD was observed targeting Taiwanese legislators.
The attack chain of the threat begins with the dissemination of highly targeted spear-phishing emails. To elicit the maximum amount of engagement from the selected targets, the emails were crafted to appear as invitations to activities important for the Tibetan community, such as conferences. The body of the emails contained one or two Google Drive links which initiated a download of corrupted executables bearing the name 'dalailama-Invitations.exe.' The files acted as first-stage droppers - upon execution, a fake Windows error message is displayed to take the attention away from the fact that a second executable is being dropped in the 'C:\users|Public' folder. Connection with the Command-and-Control (C2, C&C) infrastructure is established through HTTP POST requests. Infosec researchers determined that a specific response from the C2 server may be required before the malware can proceed to the next stage of infection.
The two campaigns observed to involve the MESSAGEMANIFOLD Malware display quite a lot of overlaps between each other, suggesting that the same group of hackers is responsible for both of them. For example, all of the domains involved in the campaigns were hosted on AS 42331 (PE Freehost) and AS 42159 (Zemlyaniy Dmitro Leonidovich), available for purchase through Deltahost, a Ukrainian hosting provider. Taking the email address 'email@example.com' that was used to register the two C2 domains led the researchers at Insikt Group to the discovery of three additional Tibet-themed domains - in-tibet.net, mail-tibet.net, and dalailama.online. All of the uncovered domains were registered through the same domain reseller - Domenburg.
The peculiar aspects of the two attack campaigns support the conjecture that the group of hackers behind them could be state-sponsored. Indeed, the highly-targeted nature of the victims, the low volume of operations attributed to the group, and the apparent lack of financial motivation support that theory. Furthermore, the strategic significance of the targets and the fact that both Taiwan and the Tibetan region have long been points of concentrated Chinese interests could also be an important clue when determining the hackers' allegiances.