Nepal, the Philippines, and Taiwan are among the countries targeted by a Chinese threat actor
The Insikt Group at Recorded Future is monitoring a Chinese government threat actor who is “targeting telecommunications, academics, research and development, and government institutions in Nepal, the Philippines, Taiwan, and, more historically, Hong Kong.” The effort specifically targeted Taiwan’s Industrial Technology Research Institute (ITRI), Nepal Telecom, and the Philippines’ Department of Information and Communications Technology. The researchers stress the importance of focusing on the ITRI:
“The ITRI’s targeting is noteworthy in part because of its position as a technology research and development organization that has established and nurtured a number of Taiwanese technology companies. According to the ITRI’s website, the organization is particularly focused on research and development projects related to smart living, quality health, a sustainable environment, and technology, many of which map to China’s 14th 5-year plan’s development priorities, which have previously been identified by Insikt Group as likely targets for future Chinese economic espionage efforts. Several companies in Taiwan’s semiconductor sector have been targeted by Chinese entities in recent years in order to acquire source code, software development kits, and chip designs.”
SideCopy targets Indian companies.
Cisco Talos is keeping an eye on a campaign by the SideCopy APT aimed at Indian government officials. The threat actor, whose behavior is similar to Transparent Tribe (APT36), has added additional bespoke and commodity malware to its arsenal:
“SideCopy malware operations targeting organizations in India have increased inactivity, according to Cisco Talos. The attackers have previously exploited infected LNK files and documents to spread their popular C#-based RAT. “CetaRAT” is the name we’ve given to this virus. SideCopy also makes extensive use of Allakore RAT, a Delphi-based RAT that is freely accessible. The group’s recent activities, on the other hand, indicate a surge in their development efforts. Multiple new RAT families and plugins have been identified by Talos and are presently being utilized in SideCopy infection chains.
“The targeting techniques and themes identified in SideCopy ads are very similar to those used by the Transparent Tribe APT (aka APT36), which is also targeting India.” These include decoys masquerading as military and think tank operational papers, as well as honeytrap-based infections.”
A new malware distribution method has been discovered.
Zloader has been found to be transmitted through Word documents that do not include any malicious code, according to McAfee. Instead, once both documents are downloaded, the Word document downloads an Excel document that enables it to build a malicious macro:
“The virus is sent through a phishing email with a Microsoft Word document attached. When you open a Word document with macros enabled, the Word document downloads and opens a password-protected Microsoft Excel document.
“Word VBA takes the cell contents from the XLS file, generates a new macro for the same XLS file, and uploads the cell contents to XLS VBA macros as functions after downloading the XLS file.”
“Once the macros are created and ready, the Word document disables Excel Macro Warning in the registry and calls the malicious macro function from the Excel file.” The Zloader payload is now downloaded from the Excel file. Rundll32.exe is subsequently used to execute the Zloader payload.”
The screen of a victim may now be live-streamed by a new Trojan.
Trend Micro has discovered a new remote access Trojan known as “BIOPASS” that is aimed at Chinese online gambling businesses through watering-hole websites. The virus not only has all of the typical information-stealing Trojan features, but it can also Livestream the victim’s screen to the attacker:
“What makes BIOPASS RAT so intriguing is that it can sniff the screen of its victim by exploiting the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming, and video recording software, to create live streaming to a cloud server through Real-Time Messaging Protocol” (RTMP). Furthermore, the assault makes advantage of Alibaba Cloud’s (Aliyun) object storage service (OSS) to host the BIOPASS RAT Python scripts as well as to store the data stolen from victims.
“We still consider BIOPASS RAT to be under active development.” Some of the identifiers we found throughout our research, for example, relate to various versions of the RAT code, such as “V2” or “BPSV3.” By default, several of the loaders we discovered loaded Cobalt Strike shellcode instead of the BIOPASS RAT malware. Furthermore, during the startup of BIOPASS RAT, scheduled tasks are created to load the Cobalt Strike shellcode, suggesting that the malicious actor behind the assault still significantly depends on Cobalt Strike.”