The attacks begin with the distribution of fake documents on behalf of government agencies to employees of the Ministry of Foreign Affairs
Security experts from Check Point Research have identified an ongoing cyber-espionage campaign, allegedly related to China. Hackers are targeting government agencies in Southeast Asia to distribute spyware on Windows systems. According to experts, the criminals went unnoticed for more than three years.
The attacks begin with the distribution of fake documents on behalf of government agencies to employees of the Ministry of Foreign Affairs. Once opened, the document launches the C&C server payload. The bootloader steals and transmits system information to a remote server, which is subsequently sent by the shell code downloader.
The loader establishes a connection to a remote server to download, decrypt, and execute the VictoryDll_x86.dll implant capable of performing file operations, taking screenshots, creating and terminating processes, and even shutting down the infected system.
According to experts, the attackers have made significant efforts to hide their activities, changing the infrastructure several times since its development in 2017. The backdoor, in turn, has received a number of fixes designed to make it more resistant to analysis and reduce the detection rate at every stage.
Experts believe that the malicious campaign may be linked to the Chinese cybercriminal group SharpPanda. The conclusion is based on test versions of the backdoor from 2018 that were uploaded to VirusTotal from China, as well as the use of the Royal Road RTF exploit tool.
In addition, the C&C server only returned the payload between 01:00 and 08:00 UTC, which is presumably business hours in the attacker’s country. Also, from May 1 to May 5, the C&C servers showed no malicious activity even during business hours, which coincides with the Labor Day holiday in China.