Chinese State-Sponsored Cyber Espionage Group Targets Russia with Trojans
Espionage groups in China have been using new malware to attack military and aerospace organizations in Russia, a new research reveals. While researchers reported a dramatic decrease in state-sponsored attacks against the United States by Chinese threat actors since the signing of the US-China Cyber Agreement, China-linked advanced persistent threat (APT) groups continue to target other regions.
China-linked APT targets Russia with ZeroT and PlugX trojans
Earlier last year, security researchers at Proofpoint reported that a China-linked threat actor had been using NetTraveler and PlugX remote access trojan (RAT) to target Russia, Belarus, and neighboring countries. Security researchers have now detailed that since the summer of 2016, the same group started using a new downloader, dubbed as ZeroT, to install the PlugX RAT. The group is also using Microsoft Compiled HTML Help (.chm) files to deliver PlugX in spear-phishing emails.
The espionage group sent its targets .chm files containing an HTML file and an executable. When the target opens the help file, it displays Russian-language text where the victim is asked by the User Account Control (UAC) feature in Windows to allow the execution of an unknown program. If the user approves this request, the ZeroT downloader is dropped onto the victim’s system. The criminal group also used self-extracting RAR archives to deliver ZeroT. Many of these RAR files contained an executable named Go.exe, which performs UAC bypass by exploiting the Event Viewer tool in Windows.
Once it successfully infects a system, ZeroT then tries to contact its command and control (C&C) server to upload information about the victim’s system. From here, ZeroT downloads a variant of PlugX RAT – using steganography to hide the malware.
Security researchers added that the emails and files used in the spear-phishing campaign referenced the Commonwealth of Independent States (CIS), “a regional organization that includes nine out of the fifteen former Soviet Republics, including Russia and Belarus.”
Proofpoint researchers, who have been following this Chinese state-sponsored attack group, warned that the APT activity will continue to increase in the coming year.
For more technical details, visit Proofpoint.