Pierluigi Paganini
August 09, 2022
In January 2022, researchers at Kaspersky ICS CERT uncovered a series of targeted attacks on military industrial enterprises and public institutions in Afghanistan and East Europe.
The attackers breached dozens of enterprises and in some cases compromised their IT infrastructure, taking over systems used to manage security solutions.
“All the victims identified are associated with the defense industry or are public institutions. The attack targeted industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan.” reads the report published by Kaspersky.
The threat actors launched spear-phishing campaigns against the victims, in some cases, the messages contained information related to the victims which were not publicly available. This suggests that attackers had a deep knowledge of the targets, likely resulting from detailed preparatory work
The emails used weaponized Microsoft Word documents exploiting the CVE-2017-11882 vulnerability.
The CVE-2017-11882 flaw is a memory-corruption issue that affects all versions of Microsoft Office released between 2000 and 2017. The vulnerability affects the MS Office component EQNEDT32.EXE which is responsible for the insertion and editing of equations (OLE objects) in documents.
The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.
Even if the flaw was patched in 2017, experts at Microsoft continue to see threat actors exploiting it in the wild.
The threat actors deploy multiple backdoors on the target systems, experts believe the attackers used them to create redundant channels of communication.
The information gathered by the experts led them into believing that the goal of the attacks was cyberespionage, the researchers linked the campaigns with a Chinese APT group tracked as TA428 (aka Colourful Panda, BRONZE DUDLEY).
Some indirect evidence that links the attacks to a China-linked group is the use of hacking utilities that are popular in China, the use of a second-stage CnC server located in China, and the fact that the CnC server registration information includes an email address in the Chinese domain 163.com specified in the administrator’s contact data.
One of the backdoors used by the group is called PortDoor, it was first detailed by Cybereason researchers in April 2021. Cybereason researchers reported that a China-linked APT group targeted the Russian defense contractor Rubin involved in designing nuclear submarines for the Russian Navy.
The Portdoor backdoor implements multiple functionalities, including the ability to do reconnaissance, target profiling, delivery of additional payloads, privilege escalation, process manipulation static detection antivirus evasion, one-byte XOR encryption, AES-encrypted data exfiltration.
Other malware employed in the attacks linked to TA428 are nccTrojan, Logtu, Cotx, and DNSep, and previously undetected malware named CotSam.
Once gained control of a target’s IT infrastructure, threat actors started stealing sensitive information. Gathered files were packed into password-protected ZIP archives, then they were sent to one of the stage one malware C2 servers, which are located in different countries of the world.
In most cases, stage one C2 servers were used to redirect the data received to a stage two server in China.
“The attack series that we have discovered is not the first in the campaign and, given that the attackers achieve a certain degree of success, we believe it is highly likely that they will continue to conduct similar attacks in the future. Industrial enterprises and public institutions should take extensive measures to repel such attacks successfully.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, industrial enterprises)
[adrotate banner=”5″]
[adrotate banner=”13″]
