Cyber espionage – China-Linked group leverages recently patched .NET Flaw

The hackers have been using a recently patched .NET vulnerability, tracked as CVE-2017-8759, in attacks aimed at organizations in the United States.

“Proofpoint researchers are tracking an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.” reads the report published by Proofpoint.

The attackers have been active since at least 2014, they are known for the use of a remote access trojan (RAT) named NanHaiShu. The threat actors targeted various U.S. and Western European organizations with ties to the maritime sector, including naval defense contractors and research institutions.

“NanHaiShu – We have observed variants of this JavaScript backdoor used in various campaigns, including those publically reported. The actor continues to improve and refine the malware by, for example, wrapping it inside an HTA wrapper” continues the report.

In the last campaign spotted in mid-September, attackers targeted various US entities, including a shipbuilding company and a university research center with ties to the military.

According to researchers at Proofpoint, threat actors attacker sent spear-phishing emails to the victims, the messages use documents crafted to exploit the CVE-2017-8759. The CVE-2017-8759 flaw is a .NET vulnerability patched by Microsoft just a few days before the hacker crew launched the attacks.

The CVE-2017-8759 flaw is a .NET vulnerability patched by Microsoft just a few days before the hacker crew launched the attacks.

According to FireEye, the CVE-2017-8759 has actively been exploited by an APT group to deliver the surveillance malware FinFisher Spyware (FinSpy) to a Russian-speaking “entity” via malicious Microsoft Office RTF files in July.

Proofpoint discovered other attacks launched by the cyber espionage group in early August when hackers exploited the CVE-2017-0199 flaw, an Office vulnerability that had also been exploited in attacks since April.

The hackers targeted several defense contractors, they leveraged malicious Microsoft Publisher files, PowerPoint docs, and domains set up to mimic ones belonging to an important provider of military ships and submarines.

The arsenal of the group also includes a backdoor dubbed “Orz,” which was used in past attacks and in the August 2017 campaigns, the SeDLL and MockDLL loaders, and a publicly available commercial software for “Adversary Simulations and Red Team Operations.” Cobalt Strike.

The actor sometimes leverages the access at one compromised organization for lateral movements and target another organization in the same industry.

“Similarly the actor attempts to compromise servers within victim organizations and use them for command and control (C&C) for their malware.” continues the analysis.

“The tools, techniques, and targets consistently connect their work, particular given their attention to naval and maritime defense interests and use of custom backdoors,” concluded the researchers. “While defense contractors and academic research centers with military ties should always be cognizant of the potential for cyberattacks, organizations fitting their targeting profiles should be especially wary of legitimate-looking but unsolicited emails from outside entities.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – Cyber espionage, China)

[adrotate banner=”5″]

[adrotate banner=”13″]