After discovering an archive file which contained a malicious document, researchers from Malwarebytes began observing the actors behind the campaign in which the malicious document was used. Malwarebytes believes the actor may be a Chinese APT group that has been operating as early as 2014 and is state-sponsored.
- Malware, APT, Spear-phishing
Beginning in early July 2020, researchers from Malwarebytes monitored the activities of a threat group and their campaigns targeting individuals in Hong Kong and government entities in India. While the TTPs used by the actor are known to have been used by multiple Chinese APT groups, the TTPs allowed Malwarebytes to track the actors’ activities back as far as 2014. The documents are themed using subjects which will be of interest to the targets and probably delivered in spear-phishing emails. The document that was initially located installed a Cobalt Strike variant. Later documents installed a variant of a loader named MgBot. The final payload is a Trojan which provides remote administration capabilities. Of note is that the actor has predominantly used IP addresses located in Hong Kong and the great majority of C&C communications are with the Hong Kong IP addresses. Malwarebytes also located a number of malicious Android apps they believe are associated with the actor. Further details, including a technical analysis of the malware, are available in the report linked in the Reference section below.
Indicators of Compromise
Review IBM X-Force Exchange Reports here: – https://exchange.xforce.ibmcloud.com/collection/869f966b8f01b8f558465beaf59cb5c4
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IoCs in your environment.
- Consider blocking and or setting up detection for all URL and IP based IoCs.
- Keep applications and operating systems running at the current released patch level.
- Exercise caution with attachments and links in emails.