Chinese State-Sponsored Cyber Espionage Group Targets Russia with Trojans

Author Photo
Feb 3, 2017
12Shares
Share Tweet Submit

Espionage groups in China have been using new malware to attack military and aerospace organizations in Russia, a new research reveals. While researchers reported a dramatic decrease in state-sponsored attacks against the United States by Chinese threat actors since the signing of the US-China Cyber Agreement, China-linked advanced persistent threat (APT) groups continue to target other regions.

China-linked APT targets Russia with ZeroT and PlugX trojans

Earlier last year, security researchers at Proofpoint reported that a China-linked threat actor had been using NetTraveler and PlugX remote access trojan (RAT) to target Russia, Belarus, and neighboring countries. Security researchers have now detailed that since the summer of 2016, the same group started using a new downloader, dubbed as ZeroT, to install the PlugX RAT. The group is also using Microsoft Compiled HTML Help (.chm) files to deliver PlugX in spear-phishing emails.

Related GCHQ Warns British Political Parties of Russian Hacking Capabilities

The espionage group sent its targets .chm files containing an HTML file and an executable. When the target opens the help file, it displays Russian-language text where the victim is asked by the User Account Control (UAC) feature in Windows to allow the execution of an unknown program. If the user approves this request, the ZeroT downloader is dropped onto the victim’s system. The criminal group also used self-extracting RAR archives to deliver ZeroT. Many of these RAR files contained an executable named Go.exe, which performs UAC bypass by exploiting the Event Viewer tool in Windows.

Once it successfully infects a system, ZeroT then tries to contact its command and control (C&C) server to upload information about the victim’s system. From here, ZeroT downloads a variant of PlugX RAT – using steganography to hide the malware.

Security researchers added that the emails and files used in the spear-phishing campaign referenced the Commonwealth of Independent States (CIS), “a regional organization that includes nine out of the fifteen former Soviet Republics, including Russia and Belarus.”

Proofpoint researchers, who have been following this Chinese state-sponsored attack group, warned that the APT activity will continue to increase in the coming year.

Related North Korean Hackers Planted False Flags to Attribute Bank Attacks to Russia

For more technical details, visit Proofpoint.

Share Tweet Submit