Chinese hackers use dangerous backdoor to deploy cyber spying campaign

Cybercriminals funded by the Chinese government are reportedly employing a new variant of backdoor in order to deploy an ambitious cyber espionage campaign target other National states. According to the experts at Check Point Research, this backdoor was designed, developed and operated for the engagement of a South Asian government that was not explicitly named.

This is a Windows-based malware and its chain of infection begins with the deployment of a spear phishing campaign in which threat actors pose as other government agencies, sending affected users documents loaded with malware with legitimate appearance.  

If the victims interact with these files, the remote extraction of an .RTF and a version of Royal Road is implemented, which works by exploiting known flaws in the Microsoft Word equation editor, including those tracked as CVE-2017-11882 and CVE-2018-0798.

The researchers mention that Royal Road is a very popular tool among Chinese hacking groups: “These RTF documents typically contain shellcode and an encrypted payload used to create a scheduled task and launch sandbox evasion techniques, in addition to downloading the backdoor’s final payload.”

The backdoor, identified “VictoryDll_86.dll”, was developed for the deployment of spying and data theft tasks through a C&C server. Using this malicious tool, hackers can access and delete files arbitrarily, collect login credentials, execute commands via cmd.exe and create or terminate running processes.

Once this step is completed, a connection is initiated with a C&C server that in turn is capable of executing additional attacks. The first stage servers appear to be hosted in Hong Kong and Vietnam, while the backdoor server is hosted on the systems of a US based firm.

The researchers concluded that this backdoor is Chinese-authored due to its particular operating hours, the use of Royal Road hacking tool and because of some previous samples of this backdoor hosted on VirusTotal, which contained connectivity checks with Baidu’s website: “During the analysis we managed to block the surveillance operation against the target government, although it is possible that other similar operations will remain active at this time,” the experts conclude.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.