Description

According to Kaspersky researchers, a series of attacks launched in January 2022, backdoored government entities and defense industry organizations from several Eastern European countries using new Windows malware. Security researchers attributed these attacks to a Chinese APT group tracked as TA428 which targets Asian and Eastern European organizations with information theft and cyber espionage attack. Researchers said these attacks targeted industrial plants, design bureaus, research institutes, government agencies, and ministries in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan. As a result of investigating these incidents, information obtained indicates that cyber espionage was the objective. These attackers were able to successfully compromise the networks of several targets and even take control of their entire IT infrastructure. It is reported that, the Chinese cyberspies used spear phishing emails containing confidential information about the targeted companies and malicious code exploiting CVE-2017-11882 Microsoft Office vulnerability to drop new PortDoor malware. This new backdoor enables the attackers to collect and steal system information and files from infected systems. In these attacks, the threat group also installed additional malware associated with TA428 (i.e., nccTrojan, Logtu, Cotx, and DNSep), along with a previously unidentified malware strain called CotSam which was delivered with a vulnerable version of Microsoft Word (Microsoft Word 2007 on 32-bit systems and Microsoft Word 2010 on 64-bit systems). Furthermore, the Chinese threat actor gained domain privileges and harvested confidential data by moving laterally through their victims' enterprise networks utilizing tools such as the Ladon hacking utility (popular among Chinese threat actors) that can scan networks, find vulnerabilities, and attack passwords. Later, they sent the encrypted and password-protected ZIP archives to command-and-control servers located in different nations, and then, the C2 servers forward all this stolen data to a second-stage CnC server located in China.