At a glance.
- Chinese threat actor targets Nepal, the Philippines, and Taiwan.
- SideCopy goes after Indian entities.
- New malware delivery technique.
- New Trojan can livestream victim's screen.
Chinese threat actor targets Nepal, the Philippines, and Taiwan.
Recorded Future's Insikt Group is tracking a suspected Chinese government threat actor that's "targeting telecommunications, academia, research and development, and government organizations in Nepal, the Philippines, Taiwan, and more historically, Hong Kong." Specifically, the campaign targeted the Industrial Technology Research Institute (ITRI) in Taiwan, Nepal Telecom, and the Department of Information and Communications Technology in the Philippines. The researchers emphasize the significance of targeting the ITRI:
"In particular, the targeting of the ITRI is notable due to its role as a technology research and development institution that has set up and incubated multiple Taiwanese technology firms. According to the ITRI’s website, the organization is particularly focused on research and development projects related to smart living, quality health, sustainable environment, and technology, many of which map to development priorities under China’s 14th 5-year plan, previously highlighted by Insikt Group as likely areas of future Chinese economic espionage efforts. In recent years, Chinese groups have targeted multiple organizations across Taiwan’s semiconductor industry to obtain source code, software development kits, and chip designs."
SideCopy goes after Indian entities.
Cisco Talos is watching a campaign by the SideCopy APT targeting Indian government personnel. The threat actor, whose activity resembles that of Transparent Tribe (APT36), has incorporated new custom and commodity malware into its operations:
"Cisco Talos has observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware "CetaRAT." SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT. "Recent activity from the group, however, signals a boost in their development operations. Talos has discovered multiple new RAT families and plugins currently used in SideCopy infection chains.
"Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections."
New malware delivery technique.
McAfee has observed Zloader being delivered via Word documents that don't contain any malicious code. Instead, the Word document downloads an Excel document that allows it to create a malicious macro after both documents are downloaded:
"The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document.
"After downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions.
"Once the macros are written and ready, the Word document sets the policy in the registry to Disable Excel Macro Warning and invokes the malicious macro function from the Excel file. The Excel file now downloads the Zloader payload. The Zloader payload is then executed using rundll32.exe."
New Trojan can livestream victim's screen.
Trend Micro has spotted a new remote access Trojan dubbed "BIOPASS" that's targeting online gambling companies in China via watering-hole websites. The malware has all the usual capabilities of an information-stealing Trojan, but it can also livestream the victim's screen to the attacker:
"What makes BIOPASS RAT particularly interesting is that it can sniff its victim’s screen by abusing the framework of Open Broadcaster Software (OBS) Studio, a popular live streaming and video recording app, to establish live streaming to a cloud service via Real-Time Messaging Protocol (RTMP). In addition, the attack misuses the object storage service (OSS) of Alibaba Cloud (Aliyun) to host the BIOPASS RAT Python scripts as well as to store the exfiltrated data from victims.
"We consider BIOPASS RAT as still being actively developed. For example, some markers that we discovered during our analysis refer to different versions of RAT code, such as “V2” or “BPSV3”. Many of the loaders that we found were used to load Cobalt Strike shellcode by default instead of the BIOPASS RAT malware. Furthermore, BIOPASS RAT also creates scheduled tasks to load the Cobalt Strike shellcode during the initialization, indicating that the malicious actor behind the attack still heavily relies on Cobalt Strike."