Chinese Attackers Are Using Coronavirus to Spear-Phish Users via Microsoft Word

A Chinese threat actor linked to a 2017 Belarus campaign is now using Coronavirus and new Microsoft Word exploits to steal user's information.

Security Icon Microsoft

As most of the world works towards mitigating Coronavirus, a small number are seeking to exploit it. Check Point Research has discovered a Chinese APT that's using in a spearphishing campaign targetting the Mongolian public sector.

The emails imitate the Mongolian Ministry of Foreign affairs, containing RTF files pretending to give information on the spread of Covid-19. The documents were weaponized by a tool called RoyalRoad, researchers say, which is commonly used by various Chinese threat actors. The files contain custom embedded objects that exploit a flaw in Word's equation editor to drop into its startup folder.

Named intel.wll, it will start the infection chain once a user restarts Word, downloading a DLL file that loads the , a new Remote Access Trojan (RAT) into memory. The RAT then takes screenshots, downloads files, execute a new process, and move and delete files. When examining the malware, researchers found similarities to a group that performed attacks in Belarus, Russia, and Ukraine between 2016 and 2017.

As a whole, the campaign has been named Vicious Panda. It's particularly persistent because each time a user opens Word, the infection process will start again, triggering the malware download.

Naturally, enterprises should avoid clicking on emails about that have not been arranged in advance and use professional . This group has shown that it's willing to adapt its tactics and has targetted organizations in several countries already, so your location doesn't necessarily mean you're safe.

“The full intention of this Chinese APT group is still a mystery, but it is clear they are here to stay and will their tools and do whatever it takes to attract new victims to their network,” ends CheckPoint.