Chinese Threat Actors using numerous Backdoors to steal info
Researcherd discovered, chinese based threat actors dubbed T428, are used specially crafted phishing emails and six different backdoors to break into and then steal confidential data from military and industrial groups, government agencies and other public institutions.
More than a dozen of organizations in several Eastern European countries, including Belarus, Russia, and Ukraine, and Afghanistan.
Researchees identified malware and C2 servers based in China, and added that this more recent series of attacks is highly likely to be an extension of an ongoing cyberespionage campaign, previously spotted by other research teams.
This specially-crafted attacks included confidential information about the victim org, it was easier for the attackers to trick some employees into opening the email and a Microsoft Word document attached to it. The Word doc contained malicious code, which exploited the CVE-2017-11882 vulnerability to deploy PortDoor malware on the infected machine without any additional user activity.
PortDoor malware is a relatively new backdoor believed to be developed by Chinese state sponsored groups that was also used in a 2021 phishing attack against a Russian-based defense contractor that designs nuclear submarines for the Russian Federation’s Navy.
Along with PortDoor, attackers used six other backdoors to control the infected systems and steal confidential data. Some of these (nccTrojan, Logtu, Cotx, and DNSep) have been previously attributed to TA428 and sixth backdoor, CotScam, is new as per researchers.
Once infected the initial computer, and moved laterally, using credentials stolen earlier in the attack to spread malware across other devices on the enterprise network and they used the Ladon hacking tool, which is reportedly popular among Chinese cybercriminals, as another indicator that TA42 is behind these espionage efforts.
Once after gaining admin privileges to the infected machines, the criminals manually searched for and selected files to steal that contained sensitive data about the victim organization before uploading these files to servers hosted in different countries. These servers then forwarded the private information to a stage-two server in China.
It is highly likely that similar attacks will occur again in the future. Industrial enterprises and public institutions should do a great deal of work to successfully thwart such attacks.