Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia

Daniel ZimmermannJune 9, 2021

0 145 1 minute read

Check Point specialists discovered a spy operation carried out by Chinese hackers, during which they used a new backdoor of their own design. The operation was aimed at the government of one of the countries of Southeast Asia.

Researchers say an unnamed Chinese hack group has been developing a new backdoor for Windows for three years. With its help, hackers could monitor victims in real time: take screenshots, edit files, and execute other commands.

Chinese hackers and a new backdoor — Attack scheme

The company’s report states that the criminals sent malicious documents to the Foreign Ministry, posing as employees of the government of the same country. By opening the document, the victim launched a chain of actions that eventually led to the deployment of the backdoor. This malware, in turn, collected any information about the infected system (for example, a list of files and active programs), and also provided attackers with remote access to the infected device.

The backdoor, which the group has been developing for about three years, overrides the usual authentication procedures for accessing the system. The backdoor module with the internal name VictoryDll_x86.dll contains custom malware with many hacking tools.

Experts associate this spy campaign with China, basing on the following artifacts and signs:

control servers were only online from 01:00 to 08:00 UTC. According to the researchers, this indicates working hours in a particular country/region; attackers – therefore, the territorial range of possible sources of this attack is limited;
C&C servers did not return any payload (even during business hours) between May 1 and May 5, during which Labor Day is celebrated in China.
Some test versions of the backdoor had records of checking network connectivity from www.baidu.com;
The RoyalRoad RTF exploit kit used in malicious documents for the attack is mainly associated with Chinese APT groups.
some test versions of the backdoor dated 2018 were uploaded to VirusTotal from China.

All facts indicate are that we are dealing with a highly organized group that has applied significant efforts to remain undetected. Cybercriminals (we believe that this is a Chinese group), acted in a very systematic way. Our investigation ultimately led to the discovery of a new Windows backdoor, a cyber espionage weapon that Chinese hackers have been developing since 2017. The backdoor was refined for three years before being used in real life. It is very corrosive and capable of collecting a huge amount of data from an infected computer. We learned that attackers are interested not only in data, but also in what happens on the victim’s PC at any moment – this is real-time espionage. We were able to block this particular operation, but it is possible that this group is using new weapons for other attacks around the world.says Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software.

Let me remind you that we talked about the fact that the Chinese authorities use Tianfu Cup as a source of exploits, as well as that the Chinese authorities use AI to analyze emotions of Uyghur prisoners.

Sending