Freely subscribe to our NEWSLETTER

• Attackers began by sending weaponized documents, impersonating other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs
• Attackers developed, tested and deployed a new cyber espionage weapon, specifically a Windows backdoor with the internal name “VictoryDll_x86.dll”, capable of collecting nearly any information the attackers want
• Surveillance operation placed significant effort into avoiding detection by limiting its working hours and changing its infrastructure multiple times

Check Point Research (CPR) has identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. The attackers, believed to be a Chinese threat group by CPR, systematically sent weaponized documents, that impersonated other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs. CPR suspects that the purpose of the operation is espionage through the installation of a previously unknown backdoor into the Windows software running on personal computers of victims. After the backdoor is installed, the attackers can collect nearly any information they want, as well as take screenshots and execute additional malware on a target’s personal computer. CPR’s investigation revealed that the attackers have been testing and refining its Windows backdoor tool for at least the past three years.

Infection Chain

At a high-level, the infection chain can be summarized in the following steps:
1. Victim receives an e-mail with a document attached, allegedly sent by some other government’s ministry or commission
2. By opening the doc, the victim executes a chain of events that eventually pulls the backdoor
3. The backdoor collects any information the attackers want, including listing the files and active programs on the PC, enabling remote access to the actor

The Previously Unknown Backdoor

Over the course of three years, the attackers developed a new backdoor, a malware type that negates normal authentication procedures to access a system. With the internal name "VictoryDll_x86.dll", the backdoor module contains custom malware with the following capabilities, among others, the ability to:

• Delete/Create/Rename/Read/Write Files and get files attributes
• Get processes and services information
• Get screenshots
• Pipe Read/Write - run commands through cmd.exe
• Create/Terminate Process
• Get TCP/UDP tables
• Get registry keys info
• Get titles of all top-level windows
• Get victim’s personal computer information - computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number) and type of user
• Shutdown PC

Attribution

CPR attributes, with medium-to-high confidence, the ongoing surveillance operation to a Chinese threat group, based on the following artifacts and indicators:
• The command and control (C&C) servers were communicative only between 01:00 – 08:00 UTC, which we believe are the working hours in the attackers’ country, therefore the range of possible origins of this attack is limited.
• The C&C servers did not return any payload (even during working hours), specifically during the period between May 1st and May 5th - Labor Day holidays in China.
• Some test versions of the backdoor contained internet connectivity check with www.baidu.com - a leading Chinese web-site.
• The RoyalRoad RTF exploit kit, used to weaponize the documents in the attack, is associated mostly with Chinese APT groups.
• Some test versions of the backdoor from 2018 were uploaded to VirusTotal from China

Avoiding Detection

The surveillance operation placed significant effort into avoiding detection:
• For one, the command and control server operated in a limited daily window, which correlates with working hours in China, and the infrastructure was changed multiple times throughout the campaign
• Furthermore, the backdoor malware was in development since 2017; but with time, the malware was broken into multiple stages, in order to hinder analysis and detection

“All the evidence points to the fact that we are dealing with a highly-organized operation that placed significant effort into remaining under the radar. Every few weeks, the attackers used spear-phishing emails, laced with weaponized versions of government-themed documents, to try and create a foothold into the Ministry of Foreign affairs of the target country. This means that the attackers first had to attack another department within the targeted state, stealing and weaponizing documents for use against the Ministry of Foreign Affairs. All in all, the attackers, who we believe to be a Chinese threat group, were very systematic in their approach,” said Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software.

“Ultimately, our investigation led to the discovery of a new Windows backdoor, in other words a new cyber espionage weapon, that the Chinese threat group has been developing since 2017. The backdoor was formed and reformed time and time again over the course of three years, before it was used in the wild. This backdoor is far more intrusive and capable of collecting a vast amount of data from an infected computer. We learned that the attackers are not only interested in cold data, but also what is happening on target’s personal computer at any moment, resulting in live espionage. Although we were able to block the surveillance operation for the Southeast Asian government described, it’s possible that the threat group is using its new cyber espionage weapon on other targets around the world.”