Chinese government-sponsored cyber group APT TA428 has launched a new phishing campaign targeting Ukraine, Russia and Belarus. Carefully crafted phishing e-mails often contain confidential information about the target organization (for example, design bureaus, research institutes, government agencies, industrial enterprises, ministries and departments). The attached malicious MS Word documents exploit the Microsoft Equation Editor vulnerability CVE-2017-11882 to install the PortDoor malware. To achieve stability, continuous communication, horizontal movement and information theft, attackers install additional backdoors Cotx, DNSep, Logtu, nccTrojan and CotSam. Emails can come from both free email accounts and compromised user accounts. Previously, cyber attackers relied on the Microsoft Equation Editor CVE-2018-0798 exploit to create custom Cotx RAT malware. Additionally, this APT group can use Poison Ivy payloads that override command and control (C2) infrastructure.
Chinese state-backed cyber espionage group APT41 (Winnti, Wicked Spider, Wicked Panda, Barium, Group72) has begun using a variety of dual-purpose tools to conduct intelligence and a new method to deploy the main Cobalt Strike payload on victim systems. To prevent detection, cybercriminals encode the main Cobalt Strike binary in Base64, then break it into smaller 775-character chunks, which are then appended to a text file, or break the code into 1024-character chunks before writing the payload to a text file using 128 iterations process Another unique method was the use of command and control (C2) servers with over 106 special SLL certificates (mimicking companies like Microsoft and Cloudflare), which allowed the C2 servers to accept only specified connections, preventing the researchers from analyzing them. As the initial access vector, the members of the cyber group chose a new SQL injection attack tactic using the SQLmap tool, which allowed access to the command shell on some target servers. After gaining access to the target network, APT41 deployed other special tools (DeployLog, Spyder Loader, StashLog, PrivateLog). Cybercriminals targeted databases containing information about existing user accounts, employee lists, and passwords stored in plaintext and hashed form, attacking 86 vulnerable websites and applications belonging to the targeted organizations.
Against the backdrop of the Russian-Ukrainian war and the focus on threats from Russia, China-sponsored cyber groups continue to update their TTPs and conduct active cyber espionage campaigns, including against Ukraine.