Novel ‘Victory’ Backdoor Spotted in Chinese APT Campaign

[silversurfer]

An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said – using a previously unknown espionage malware.
 
According to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.
 
The documents were “sent to different employees of a government entity in Southeast Asia,” according to the Check Point analysis. “In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker’s server.”
 
The malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. RoyalRoad is a tool that researchers have said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428; it generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802). The RoyalRoad-generated RTF document contains an encrypted payload and shellcode, according to the analysis.
 
“To decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, and the resulted DLL file is saved as 5.t in the %Temp% folder,” researchers said. “The shellcode is also responsible for the persistence mechanism – it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.”
 
The .DLL gathers data on the victim’s computer including the OS name and version, user name, MAC addresses of networking adapters and antivirus information. All of the data is encrypted and then sent to the attackers’ command-and-control server (C2) via GET HTTP request method. After that, a multi-stage chain eventually results in the installation of the backdoor module, which is called “Victory.” It “appears to be a custom and unique malware,” according to Check Point.

Read more: Novel 'Victory' Backdoor Spotted in Chinese APT Campaign | Threatpost