Chinese hackers using data-stealing malware against Southeast Asian governments?

Dark web
Cyber security Pixabay

Cybersecurity experts have recently revealed that Chinese threat actors are responsible for malware-based espionage attacks on Singapore as well as Cambodia, which targeted to steal confidential data of the Southeast Asian governments.

It should be noted that the group of cybercriminals were targeting mainly government departments, embassies, and government-affiliated entities in Southeast Asia, said cybersecurity researchers.

As per the new findings, revealed by Check Point Research, the cyber attack operations were carried out over a period of seven months between December 2018 and June 2019. The hackers have launched such attacks by using phishing tricks to lure victims to open malicious emails that download malware on their computers.

The researchers also mentioned that China based hacking group, which is called dubbed Rancor, has been sending malicious documents from real email addresses belonging to government officials to make them seem more legitimate.

In 2018 July, this cybercriminal group was first documented by Palo Alto Networks' threat intelligence team Unit 42. Their team of cyber experts suspected that the group has major role in cyber espionage attacks against Singapore and Cambodia using phishing messages which included malicious attachments, such as Microsoft Excel files with embedded macros and HTML applications.

Rancor's modus operandi includes downloading documents such as official letters, press releases and surveys and let the malware affect the system. The group of hackers has continuously mutated its tactics, techniques and procedures by using a range of methods, including macros, JavaScript, known vulnerabilities in Microsoft Equation Editor to distribute malware.

As per the Check Point researchers, the application of Equation Editor exploit (CVE-2018-0798) and the fact their command-and-control (C&C) server were available only between 01:00 and 08:00 UTC time suggested that the cybercriminals belong to China.

Check Point also stated that "Chinese roots can also be confirmed by the presence of metadata in Chinese for some of the documents... The campaign wasn't active during February 2019 which is a month of Chinese New Year and Spring Festival, a long holiday in China."