Chinese cybercriminals spent three years creating a new backdoor to spy on governments

The new tool has been used in ongoing cyberespionage activities.
Written by Charlie Osborne, Contributing Writer

A new backdoor used in ongoing cyberespionage campaigns has been connected to Chinese threat actors. 

On Thursday, Check Point Research (CPR) said that the backdoor has been designed, developed, tested, and deployed over the past three years in order to compromise the systems of a Southeast Asian government's Ministry of Foreign Affairs. 

The Windows-based malware's infection chain began with spear phishing messages, impersonating other departments in the same government, in which members of staff were targeted with weaponized, official-looking documents sent via email. 


If victims open the files, remote .RTF templates are pulled and a version of Royal Road, an RTF weaponizer, is deployed. 

The tool works by exploiting a set of vulnerabilities in Microsoft Word's Equation Editor (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802). 

CPR says that Royal Road is "especially popular with Chinese [advanced persistent threat] APT groups."

The RTF document contains shellcode and an encrypted payload designed to create a scheduled task and to launch time-scanning anti-sandboxing techniques, as well as a downloader for the final backdoor

Dubbed "VictoryDll_x86.dll," the backdoor has been developed to contain a number of functions suitable for spying and the exfiltration of data to a command-and-control server (C2). 

These include the read/write and deletion of files; harvesting OS, process, registry key and services information, the ability to run commands through cmd.exe, screen grabbing, creating or terminating processes, obtaining the titles of top-level windows, and the option to close down PCs. 

The backdoor connects to a C2 to pass along stolen data and this server may also be used to grab and execute additional malware payloads. First stage C2s are hosted in Hong Kong and Malaysia, while the backdoor C2 server is hosted by a US provider. 

CPR believes it is likely that the backdoor is the work of Chinese threat actors due to its limited operational schedule -- 1.00 am -- 8.00 am UTC -- the use of Royal Road, and due to test versions of the backdoor, uploaded to VirusTotal in 2018, which contained connectivity checks with Baidu's web address. 

"We learned that the attackers are not only interested in cold data, but also what is happening on a target's personal computer at any moment, resulting in live espionage," commented Lotem Finkelsteen, head of threat intelligence at CPR. "Although we were able to block the surveillance operation for the Southeast Asian government described, it's possible that the threat group is using its new cyberespionage weapon on other targets around the world."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards