Recently, security researchers discovered a novel ‘Victory’ Backdoor in Chinese APT campaign. Read on to know more about it…
SharpPanda’s APT group is currently conducting a surveillance operation against a Southeast Asian government. The campaign employs the Victory malware backdoor, which was previously undisclosed. Malware has been under development for the past three years, according to researchers.
Modus Operandi
To gain initial access, attackers are deploying spear-phishing emails with malicious Word documents, according to Check Point Research. They’re also taking advantage of older Office security flaws.
The malicious documents were sent to staff of a Southeast Asian government agency. The emails are sometimes spoofs, posing as being sent from other government-related entities.
These emails contain weaponized copies of legitimate-looking official documents that use a remote template approach to initiate the next stage from the attacker’s server.
The malicious documents download a template from a number of different URLs .RTF files made with RoyalRoad weaponizer, which is a software tool for creating maldocs that take advantage of Equation Editor’s flaws.
RoyalRoad is a tool that researchers believe is used by numerous Chinese APTs, including Tick, Tonto Team, and TA428; it creates weaponized RTF documents that target flaws in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802).
The RTF document generated RoyalRoad contains a shellcode and an encrypted payload. The APT group uses the RC4 algorithm with the key 123456 to decrypt the payload from the package and drops a DLL file.
According to the Check Point analysis, the documents were “sent to different employees of a government entity in Southeast Asia,”.
“In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker’s server.”
Working Mechanism
The backdoor module, known as Victory, is installed after the multi-stage chain is completed. It steals data and gives attackers the access to the victim’s computer on a regular basis.
It can take screenshots, manipulate files (e.g., delete, create, read, and rename them), collect information on the top-level opened windows, and shut down the computer.
It can also obtain TCP/UDP tables, data from CD-ROM drives, registry key information, and also key info about the victim’s computer.
According to the Check Point Analysis, “Searching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to VirusTotal in 2018,”
“The files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain.”
Concluding Words
For more than 3 years, the long-running Chinese operation remained undetected. Additionally, the attackers behind this campaign are concealing the Victory backdoor with anti-analysis and anti-debugging techniques. Organizations should employ a reliable anti-malware solution on all linked devices to secure from such threats.