Hackers are targeting Russian government agencies with phishing emails that pretend to be Windows security updates and other lures to install remote access malware.
The attacks are being conducted by a previously undetected APT (advanced persistent threat) group believed to be operating from China, who are linked to four separate spear-phishing campaigns.
These operations spanned between February and April 2022, coinciding with the Russian invasion of Ukraine. Its targets have been government entities of the Russian Federation.
In all four cases, the ultimate goal of the campaigns was to infect the targets with a custom remote access trojan (RAT) which most likely aided in espionage operations.
The discovery and report come from analysts at the Malwarebytes Threat Intelligence team, who noticed the threat actors’ distinctive attempts to spoof other hacking groups and pass undetected.
The phishing campaigns
The first of the four campaigns attributed to this new APT began in February 2022, mere days after the Russian invasion of Ukraine, distributing the RAT under the name “interactive_map_UA.exe”.
For the second wave, the APT had more time to prepare something more sophisticated. They used a tar.gz archive that was supposed to be a fix for the Log4Shell vulnerability sent by the Ministry of Digital Development, Telecommunications, and Mass Communications of the Russian Federation.
According to Malwarebytes, this campaign had a narrow targeting as most of the associated emails reached employees of the RT TV station, a state-owned Russian television network.
Those emails contained a PDF with instructions on installing the Log4j patch and even included advice like “not to open or reply to suspicious emails”.
“Taking into account the use by cybercriminals of certain software and server-type vulnerabilities to gain access to user information, a software patch was released to update a Windows 10 system that closes the vulnerability CVE-2021-44228 (severity level 10.0),” reads the translated phishing document, as shown below.
PDF containing instructions on how to install the malware
(Malwarebytes)
The third campaign spoofs Rostec, a Russian state-owned defense conglomerate, and the actors used newly registered domains like “Rostec.digital” and fake Facebook accounts to spread their malware while making it look like it comes from the known entity.
Fake company profile on Facebook (Malwarebytes)
Finally, in April 2022, the Chinese hackers switched to a macro-infected Word document containing a fake job advert by Saudi Aramco, a large oil and natural gas firm.
The document used remote template injection to fetch the malicious template and drop the VBS script onto candidates applying for the “Strategy and Growth Analyst” position.
The Aramco campaign infection chain (Malwarebytes)
Stealthy custom payload
Malwarebytes was able to retrieve samples of the dropped payload from all four campaigns and reports that in all cases, it is essentially the same DLL using different names.
The malware features anti-analysis techniques such as control flow flattening via OLLVM and string obfuscation using XOR encoding.
Control flow flattening in the malware (Malwarebytes)
In terms of the commands that the C2 can request from the payload, these include the following:
- getcomputername – profile the host and assign a unique ID
- upload – receive a file from the C2 and write it onto the host’s disk
- execute – execute a command-line instruction from the C2 …….