Experts at Palo Alto Networks have discovered a new malware family named Reaver with ties to hackers who use the SunOrcal malware.
A China-linked cyber espionage group has developed a new strain of malware, dubbed Reaver, that was already observed in highly targeted attacks during 2016.
The malware was analyzed by experts at Palo Alto Networks, who spotted ten different samples belonging to three different versions of the malicious code.
The Chinese cyberspies deliver the malware Windows Control Panel (CPL) files, a technique not common in the threat landscape, according to Palo Alto Networks only 0.006% of the malware is using this method.
“Unit 42 has discovered a new malware family we’ve named “Reaver” with ties to attackers who use SunOrcal malware. SunOrcal activity has been documented to at least 2013, and based on metadata surrounding some of the C2s, may have been active as early as 2010.” reads the analysis published by Palo Alto Networks.
“The new family appears to have been in the wild since late 2016 and to date we have only identified 10 unique samples, indicating it may be sparingly used. Reaver is also somewhat unique in the fact that its final payload is in the form of a Control panel item, or CPL file. To date, only 0.006% of all malware seen by Palo Alto Networks employs this technique, indicating that it is in fact fairly rare.”
The analysis of the infrastructure used by the threat actor behind the Reaver malware revealed a link to the SunOrcal malware used by China-linked attackers in campaigns that targeted the January 2016 presidential election in Taiwan.
The experts haven’t information about the intended targets of the Reaver attackers, previous reports suggest the threat actors primarily targeted the movements the Chinese government perceives as dangerous, so-called Five Poisons.
Five Poisons movements are:
- Uyghurs, particularly those supporting East Turkestan independence
- Tibetans, particularly those supportive of Tibetan independence
- Falun Gong practitioners
- Supporters of Taiwan independence
- Supporters of Chinese democracy
Starting in late 2016, the attackers used both families of malware concurrently and the same C2 infrastructure was used in the campaigns involving both malicious codes.
Threat actors behind the SunOrcal malware were known for the use of the Surtr RAT, which has been tied to weaponized document generators named HomeKit and Four Element Sword. The hacker group has been around since at least 2013, but further investigation suggests it may have been active since at least 2010.
The Reaver malware abuses the Control Panel utility in Windows, control.exe, to load the final payload. Reaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2 and 3 leverages a payload that uses raw TCP connections for network communication
Once Reaver infected a device, it first gathers information about the compromised system (CPU speed, computer name, username, IP, memory information and Windows version).
The Reaver malware is able to perform many other malicious activities, including reading and writing files, altering files and registries, and terminating processes, and modifying services.
Technical details about the Reaver malware are included in the report published by Palo Alto Networks, it also includes indicators of compromise (IoC) and details on the C&C infrastructure.