Posted on September 12, 2022 at 9:17 PM
A Chinese-backed advanced persistent threat (APT) group has been carrying out a widespread campaign against several targets in Chinese interest countries. According to the report, the threat group uses documents that spoof official diplomatic notices to deceive their victims.
Secureworks Counter Threat Unit (CTU), which observed the activities of the hackers, stated that the threat actors carried out a series of attacks that unfolded during June and July. They utilized the PlugX malware to target the computer systems of government officials in several countries in South America, the Middle East, and Europe.
The Malware Is Extremely Dangerous
According to the features seen in the campaign, the security firm noted that the attack is likely carried out by Chinese government-sponsored Bronze President hackers. Along with the use of PlugX, they also used shellcode in the executable file headers and file paths. Additionally, the attacks include the use of politically-themed documents that are in line with the regions in which China has an interest.
PlugX is a modular kind of malware that points to the command and control (C2) server for tasks. It can also download additional plugins that will improve its attack strength. The additional feature can enhance its functionality and capability beyond only information-gathering, which makes it very potent and dangerous.
The threat actors embed the malware within the RAR archive files to arrive at its target, making it very difficult to spot and decipher its intentions. It masquerades as a document when the user opens the archive on a Windows system with default settings, enabling the display of a Windows shortcut (LNK).
The shortcut also has a hidden folder that contains malware. It is planted eight levels deep in several hidden folders named with special characters. The method is deployed to circumvent email-scanning defenses that could omit specific parts when they are scanning the content. As a result, the researchers are suggesting that the threat actors are using phishing email delivery methods since there is no other real benefit to doing it.
However, the user still needs to take action before they can enable the PlugX malware. They must click the LINK file, which can allow the PlugX payload to load, decrypt, and execute its actions. During the process, the operation systematically drops the decoy document, freeing the malware to start its originally intended actions.
The Hackers’ Activities Are Targeting Government Officials
According to the CTU teams, the activities of the threat actors are directed at government officials in various countries of interest to China. It means they are designed to attack high-ranking officials from countries of interest who may have highly-sensitive information on their computers or devices.
Bronze President Has Interest In The Ukraine War
The security team cited an example where the hackers targeted a Turkish official. They sent a notification purportedly from the British government, informing the target that a new ambassador has been appointed. The message was sent to draw a reaction from the target before the hackers proceed with their next line of plan. In the real sense, there was no change in the such post, as Domnick Chilcott is still the British ambassador in Ankara.
The campaign against Turkey by the Chinese threat actors is a reflection of the strategic importance of the ongoing battle for Ukraine.
The war in Ukraine has attracted several hackers and hacktivists who have chosen to support either Ukraine or Russia in the ongoing battle.
Bronze President, which has been very active this year, has shown increased interest in Ukraine, although it doesn’t seem to side with either of them. It has been supporting China’s intelligence-gathering agenda in connection to the war.
Earlier in May, researchers at Cisco Talos observed the threat group targeting Russian and European entities. In this case, it was also using PlugX to spoof European Union’s report on the war.
Organizations Are Advised To Be Wary Of Government Representatives
Secureworks team added that Bronze President has shown a strong capacity and ability to move speedily to new intelligence collection opportunities. The threat group is made up of a sophisticated attack team that uses high-level tools for their spoofing operations. They make the attack look as if it were coming from the genuine organization they are disguising as.
As a result, the Secureworks team has warned organizations in the regions targeted by China to monitor the activities of the group. They should be particularly wary of organizations that claim to operate as government agencies or have ties with the government.