HomeWinBuzzer NewsChinese Attackers Are Using Coronavirus to Spear-Phish Users via Microsoft Word

Chinese Attackers Are Using Coronavirus to Spear-Phish Users via Microsoft Word

A Chinese threat actor linked to a 2017 Belarus campaign is now using Coronavirus and new Microsoft Word exploits to steal user's information.


As most of the world works towards mitigating Coronavirus, a small number are seeking to exploit it. Check Point Research has discovered a Chinese APT that's using in a spearphishing campaign targetting the Mongolian public sector.

The emails imitate the Mongolian Ministry of Foreign affairs, containing RTF files pretending to give information on the spread of Covid-19. The documents were weaponized by a tool called RoyalRoad, researchers say, which is commonly used by various Chinese threat actors. The files contain custom embedded objects that exploit a flaw in Word's equation editor to drop malware into its startup folder.

Named intel.wll, it will start the infection chain once a user restarts Word, downloading a DLL file that loads the malware, a new Remote Access Trojan (RAT) into memory. The RAT then takes screenshots, downloads files, execute a new process, and move and delete files. When examining the malware, researchers found similarities to a group that performed attacks in Belarus, , and Ukraine between 2016 and 2017.

As a whole, the campaign has been named Vicious Panda. It's particularly persistent because each time a user opens Word, the infection process will start again, triggering the malware download.

Naturally, enterprises should avoid clicking on emails about coronavirus that have not been arranged in advance and use professional security software. This group has shown that it's willing to adapt its tactics and has targetted organizations in several countries already, so your location doesn't necessarily mean you're safe.

“The full intention of this Chinese APT group is still a mystery, but it is clear they are here to stay and will update their tools and do whatever it takes to attract new victims to their network,” ends CheckPoint.

Ryan Maskell
Ryan Maskellhttps://ryanmaskell.co.uk
Ryan has had a passion for gaming and technology since early childhood. Fusing the skills from his Creative Writing and Publishing degree with profound technical knowledge, he enjoys covering news about Microsoft. As an avid writer, he is also working on his debut novel.

Recent News