Check Point Research identified an ongoing surveillance operation targeting a Southeast Asian government to deploy spyware on Windows systems while staying under the radar for more than three years.
“In this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor on victim’s machines,” researchers from Check Point Research said in a report published today.
The investigation starts from the campaign of malicious DOCX documents that are sent to different employees of a government entity in Southeast Asia. In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker’s server.
The last link in the attack involves the loader establishing a connection with the remote server to download, decrypt, and execute an implant dubbed “VictoryDll_x86.dll” that’s capable of performing file operations, capturing screenshots, creating and terminating processes, and even shutting down the infected machine.
Check Point said the adversary placed significant effort into concealing its activity by changing the infrastructure multiple times since its development in 2017, with the backdoor receiving its own fair share of revisions to make it more resilient to analysis and decrease the detection rates at each stage.
The long-running campaign has been linked with “medium to high confidence” to a Chinese advanced persistent threat (APT) group it calls “SharpPanda” based on test versions of the backdoor dating back to 2018 that were uploaded to VirusTotal from China and the actor’s use of Royal Road RTF weaponizer, a tool that been used in campaigns attributed to well-known Chinese threat groups since late 2018.
Several other clues point to this conclusion, including the fact that the command-and-control (C2) servers returned payloads only between 01:00 and 08:00 UTC, which the researchers suspect are the working hours in the attackers’ country, and that no payloads were returned by the C2 servers between May 1 and 5 — even during working hours — which coincides with the Labor Day holidays in China.
The development is yet another indication that multiple cyberthreat groups believed to be working in support of China’s long-term economic interests are continuing to hammer away at networks belonging to governments and organizations, while simultaneously spending a great deal of time refining the tools in their arsenal in order to hide their intrusions.
