What Is It?

Researchers from Malwarebytes have released their research into three malicious campaigns they observed in early July 2020. The first two campaigns, which occurred within a day of each other, were aimed at Indian government entities. The third campaign targeted users in Hong Kong. Due to the targets, the timing and the techniques utilized, researchers believe the attacks originated from an undocumented Chinese-based APT group, potentially active since 2014. In each campaign, the initial attack vector was malicious Word documents, resulting in a modified Cobalt Strike variant or the MgBot RAT (Remote Access Trojan). They also found malicious Android RATs believed to be used by the APT group.

Two real-world events in late June 2020 strained political relations between India and China. The first was a border skirmish along their disputed shared border in the Himalayas, reportedly resulting in casualties on both sides. Secondly, the Indian government banned 59 Chinese apps, most notably TikTok, on national security and privacy grounds.

The two APT campaigns were aimed at users with Indian government email addresses. Messages contained a Word document claiming to be a security check required due to a leak of email addresses. The Word document uses a technique known as “template injection” to download a malicious macro. This then led to the download and execution of the Cobalt Strike variant or the MgBot RAT.

The third APT campaign, targeting users in Hong Kong, used a lure and associated document based around statements made by UK Prime Minister, Boris Johnson. The statements, made in response to China’s new national security law for Hong Kong, describe provisions for up to 3 million Hong Kong citizens to live and work in the UK. The document again made use of “template injection” which resulted in the installation of the MgBot RAT.

The MgBot malware claims to be the legitimate Realtek Audio Manager utility. The malware also contains a number of techniques to make analysis more difficult. It attempts to determine if it is running on a VM or under analysis and if various endpoint security products are running. It connects to a C2 (Command and Control) server, ironically located in Hong Kong, over port 12800. As expected of a RAT, MgBot is capable of keystroke logging, saving screenshots, manipulating files and folders and controlling processes on the infected system.

The Android RATs associated with this APT group also communicate with C2 servers located in Hong Kong, using random port numbers. They are capable of geographically locating the infected phone; sending SMS messages; exfiltrating contacts, call logs, SMS messages and browsing history; recording audio via the phone’s microphone and recording screen activity.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The attack vector used in these campaigns are malicious Word documents attached to spear phishing emails, attempting to leverage social engineering in order to compromise targeted users.

When/How Did BluVector Detect It?

The 14 publicly available samples associated with these campaigns consist of malicious Word documents, the Windows RAT MgBot and an Android RAT. BluVector’s patented Machine Learning Engine (MLE) detected all of these diverse samples. Regression testing has shown the all samples, including those first seen in the wild as early as 2017, would have been detected an average of 34 months prior to their release.