Sepulcher Malware

Sepulcher Malware is the name given to a new malware family that has been observed to be delivered as payload in two separate attack campaigns. The first campaign used COVID-19 related lures to trick people into opening a malware-laced email attachment and was aimed at various European entities ranging from non-profit policy research organizations to diplomatic and legislative institutions, as well as global organizations dealing with economic affairs. The second phishing campaign carrying Sepulcher targeted Tibetan dissidents. Despite the radically different nature of the two target groups, researchers discovered existing connections between the two, such as operator email accounts that have been used by Chinese ATP (Advanced Persistent Threat) groups previously. In fact, there is consistent evidence that the culprit behind both attack campaigns is a Chinese hacker group called TA413.

The Sepulcher Malware is Distributed through Phishing Emails

In the attack against the European organizations, TA413 decided to take advantage of the confusion and uncertainty around the COVID-19 pandemic and crafted the corrupted emails to mimic WHO's (World Health Organization) 'Critical preparedness, readiness and response actions for COVID-19, Interim guidance' document. The phishing emails carried a corrupted RTF file that, when executed, exploited a Microsoft Equation Editor vulnerability to install an RTF object under the guise of Windows meta-file (WMF) to a predetermined directory located at %\AppData\Local\Temp\wd4sx.wmf. Execution of the WMF file results in the delivery of the Sepulcher payload to the infected machine. 

In the phishing attack against Tibetan-related entities, ATP413 used a compromised PowerPoint (PPXS) named 'TIBETANS BEING HIT BY DEADLY VIRUS THAT CARRIES A GUN AND SPEAKS CHINESE.ppsx.' When executed, the ppsx file initiates a connection to the IP address IP 118.99.13.4 and downloads the Sepulcher malware payload named 'file.dll.' Upon being saved on the compromised system, the payload file is renamed to 'credential.dll.'

The Sepulcher Malware is a Potent RAT 

While the Sepulcher malware may not employ some never-before-seen technology, it is still a threatening Remote Access Trojan (RAT) that is equipped with numerous data-collecting and system manipulation functions. When the corrupted email attachment is executed, it drops a file named 'wd4sx.wmf' that contains the Sepulcher Malware payload and a payload dropper. The dropper takes the form of a temporary file named 'OSEB979.tmp,' and its role is to deliver the Sepulcher malware as a 'credential.dll' to the %AppData%\Roaming\Identities\Credential.dll directory. The malware achieves persistence by using the rundlll32.exe and exploiting the 'GetObjectCount' export function through the command:

schtasks /create /tr "rundll32.exe %APPDATA%\Identities\Credential.dll,GetObjectCount" /tn "lemp" /sc HOURLY

The Sepulcher Malware connects to the 107.151.194.197 IP address through three different ports - 80, 443, and 8080. Upon receiving specific commands, the Sepulcher Malware can start collecting data from the infected system, create a reverse command shell, as well as manipulate files and directories. Among the information gathered by the Sepulcher Malware are details about the drives connected to the compromised device, directory paths, running processes, services and file information.