Dismiss this notice
ExpressVPN Valentines 2021 Giveaway - https://www.geeks.fyi/showthread.php?tid=14246

Dismiss this notice
Internet Download Manager Giveaway - https://www.geeks.fyi/showthread.php?tid=14245

Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Novel ‘Victory’ Backdoor Spotted in Chinese APT Campaign
#1
Information 
Quote:An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said – using a previously unknown espionage malware.
 
According to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.
 
The documents were “sent to different employees of a government entity in Southeast Asia,” according to the Check Point analysis. “In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker’s server.”
 
The malicious documents download a template from various URLs, according to the analysis, which are .RTF files embedded with the RoyalRoad weaponizer, also known as the 8.t Dropper/RTF exploit builder. RoyalRoad is a tool that researchers have said is part of the arsenal of several Chinese APTs, such as Tick, Tonto Team and TA428; it generates weaponized RTF documents that exploit vulnerabilities in Microsoft’s Equation Editor (CVE-2017-11882, CVE-2018-0798 and CVE-2018-0802). The RoyalRoad-generated RTF document contains an encrypted payload and shellcode, according to the analysis.
 
“To decrypt the payload from the package, the attacker uses the RC4 algorithm with the key 123456, and the resulted DLL file is saved as 5.t in the %Temp% folder,” researchers said. “The shellcode is also responsible for the persistence mechanism – it creates the scheduled task named Windows Update that should run the exported function StartW from 5.t with rundll32.exe, once a day.”
 
The .DLL gathers data on the victim’s computer including the OS name and version, user name, MAC addresses of networking adapters and antivirus information. All of the data is encrypted and then sent to the attackers’ command-and-control server (C2) via GET HTTP request method. After that, a multi-stage chain eventually results in the installation of the backdoor module, which is called “Victory.” It “appears to be a custom and unique malware,” according to Check Point.

Read more: Novel 'Victory' Backdoor Spotted in Chinese APT Campaign | Threatpost
[-] The following 1 user Likes silversurfer's post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username:


Password:





[-]
Recent Posts
Hackers Steal FIFA 21 Source Code, Tools...
Hackers have breac...silversurfer — 07:23
Cyberpunk 2077 Hacked Data Circulating O...
Earlier this year,...silversurfer — 07:21
Baby Clothes Giant Carter’s Leaks 410K C...
Baby clothes retai...silversurfer — 07:18
Monumental Supply-Chain Attack on Airlin...
A monster cyberatt...silversurfer — 07:16
Ashampoo Snap 12: A ‘limited-comparativ...
Wow! such a great r...jasonX — 03:46

[-]
Birthdays
Today's Birthdays
avatar (35)Julioagopy
Upcoming Birthdays
avatar (34)Tedscolo
avatar (41)brakasig
avatar (40)JamesReshy
avatar (42)Francisemefe
avatar (35)leoniDup
avatar (34)Patrizaancem
avatar (34)biobdam
avatar (35)storoBox
avatar (43)kinotHeemn
avatar (34)Ceballos1976
avatar (35)efynu
avatar (27)horancos

[-]
Online Staff
There are no staff members currently online.

>