An uptick in the spread of a new MgBot malware variant across India and Hong Kong is being laid at the feet of a suspected Chinese advanced persistent threat (APT) group.
According to Malwarebytes researchers Hossein Jazi and Jérôme Segura, the theme of phishing documents used to drop the malware, relating to tensions in Hong Kong and China, indicates that a Chinese cyberattack group -- active since 2014 -- is likely to blame.
In a blog post on Tuesday, the cybersecurity researchers said an archive file with a document masquerading as communication from the government of India was spotted on July 2.
The phishing document originally dropped a variant of Cobalt Strike, a legitimate penetration testing tool that can be abused by threat actors. However, on the same day, the template was changed to drop a loader for MgBot, a Remote Access Trojan (RAT).
On July 5, additional phishing documents laden with MgBot were found that weaponized statements from the UK Prime Minister, Boris Johnson, concerning the current political situation between China and Hong Kong.
It is believed that the RAT is being deployed via spear phishing emails and is used in targeted attacks against political entities and individuals.
"The lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China," the team says.
If a victim downloads the phishing document and enables macros, the payload is deployed and executes, disguising itself as Realtek Audio Manager tool. The final payload is dropped via the Application Management (AppMgmt) Service on Windows.
MgBot is able to link up to a command-and-control (C2) server to transfer stolen device data, take screenshots, log keys, kill, disable, and create processes, create Mutex resource restrictions, and uses persistence mechanisms.
The malware's authors have also attempted to stop the malicious code from being analyzed through the implementation of anti-analysis and anti-virtualization methods. These include the self-modification of code, checks for existing antivirus products, and scans for virtualized environments such as VirtualBox. If a sandbox is detected, MgBot does not perform any malicious activity.
The C2 servers and IP addresses connected to the malware are almost all based in Hong Kong. Coding in simplified Chinese suggests the malware is the work of Chinese-language speakers.
During an examination of the C2, Malwarebytes also came across several malicious Android APKs that are thought to be part of the APT's toolkit. The apps contain an embedded Trojan able to record smartphone screens and audio, grab a phone's location via GPS data theft, steal phone contacts, call logs, SMS messages and web history, as well as send SMS messages without permission.
While there is a number of prolific Chinese APTs currently in play, Malwarebytes believes the group responsible for this wave of attacks is separate from others such as Rancor or APT40, as the APT has always used a variant of MgBot in every campaign that has been tracked -- at least, so far.
Previous attacks attributed to this group have used MgBot disguised as an MP3 encoder library and the exploit of a VBScript vulnerability to drop the malware on to vulnerable machines.
"Considering the ongoing tensions between India and China, as well as the new security laws over Hong Kong, we believe this new campaign is operated by a Chinese state-sponsored actor," Malwarebytes says. "Considering these factors we attribute this APT attack with moderate confidence to a new Chinese APT group."
In related news, on Wednesday Cisco Talos researchers published a paper describing the antics of Prometei, a botnet that is only four months old. The malware is using old Microsoft Windows SMB vulnerabilities to break into machines and set up shop as a Monero (XMR) cryptocurrency miner.
Previous and related coverage
- Emotet botnet returns after a five-month absence
- This botnet has surged back into action spreading a new ransomware campaign via phishing emails
- Dark_nexus botnet outstrips other malware with new, potent features
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0