September 22, 2023

Researchers uncovered a new COVID-19 Campaign launching by Chinese based APT threat actors by taking advantage of the Coronavirus scare to deliver the unknown malware in Windows endpoints

This attack believed to initiated by the Long-running APT group that targets various government and private sectors, currents attack leverages the COVID-19 pandemic to infect the victims and trigger the infection across

Attackers also using suspicious RTF documents along with new hacking tools in this campaign to operate attack.

Collected evidence in this attack reveals that the RTF documents are weaponized using Royal Road, an RTF weaponizer that named by Anomali. Sometimes called “8.t RTF exploit builder which is mainly used here to exploit the Equation Editor vulnerabilities of Microsoft Word.

Few of the malicious documents were written in the Mongolian language, with one of them allegedly from the Mongolian Ministry of Foreign Affairs and the document contains information about the new Coronavirus infections.

Infection Vectors
Once the victim opens the malicious RTF document, the Microsoft Word vulnerability will be exploited, and the new file named intel.wll is dropped into the Word startup folder.

Infection process

This is one of the new versions of the RoyalRoad weaponizer persistence technique that helps to launch all the DLL files with a WLLextension in the Word Startup folder whenever the MS word application is launched by the victim and trigger the infection chain.

Also, this technique prevents and terminates the process of malware from running in the sandbox.

After the intel.wll DLL loaded, it proceeds to download and decrypt the next stage of the infection chain from the C2 server.

In this next stage also a DLL file that is uncovered as the main loader of this malware framework developed by the APT actors, to gain the additional functionality from the other C2 servers.

At the final stage of the infection chain, after the appropriate command is received, the malicious loader downloads and decrypts a RAT module, also in the form of a DLL file, and loads it into memory. This plug-in like architecture might hint at the existence of other modules, in addition to the payload we received.

Malware contains the RAT Module which contains the following core capabilities;

•Take a screenshot
•List files and directories
•Create and delete directories
•Move and delete files
•Download a file
•Execute a new process
•Get a list of all services
All the C&C servers were hosted on Vultr servers and the domains were registered via the GoDaddy registrar.

Keep up-to-date all AV components to protect from this scary RAT

Leave a Reply

%d bloggers like this: