As most of the world works towards mitigating Coronavirus, a small number are seeking to exploit it. Check Point Research has discovered a Chinese APT that's using Coronavirus in a spearphishing campaign targetting the Mongolian public sector.
The emails imitate the Mongolian Ministry of Foreign affairs, containing RTF files pretending to give information on the spread of Covid-19. The documents were weaponized by a tool called RoyalRoad, researchers say, which is commonly used by various Chinese threat actors. The files contain custom embedded objects that exploit a flaw in Word's equation editor to drop malware into its startup folder.
Named intel.wll, it will start the infection chain once a user restarts Word, downloading a DLL file that loads the malware, a new Remote Access Trojan (RAT) into memory. The RAT then takes screenshots, downloads files, execute a new process, and move and delete files. When examining the malware, researchers found similarities to a group that performed attacks in Belarus, Russia, and Ukraine between 2016 and 2017.
As a whole, the campaign has been named Vicious Panda. It's particularly persistent because each time a user opens Microsoft Word, the infection process will start again, triggering the malware download.
Naturally, enterprises should avoid clicking on emails about coronavirus that have not been arranged in advance and use professional security software. This group has shown that it's willing to adapt its tactics and has targetted organizations in several countries already, so your location doesn't necessarily mean you're safe.
“The full intention of this Chinese APT group is still a mystery, but it is clear they are here to stay and will update their tools and do whatever it takes to attract new victims to their network,” ends CheckPoint.