A China-linked cyber hacker group was using new malware and some new techniques in their attacks targetted at military and aerospace organisations in Russia and Belarus.
Back in July 2016, the security firm Proofpoint reported that threat actor had been using the PlugX RAT and NetTraveler to target Russia and neighbouring countries. Researchers now reveal that, at around the same time, this group started using a new downloader, dubbed as ZeroT, and Microsoft Compiled HTML Help files to deliver the PlugX.
The attackers have sent victims some .chm files that contain an HTM file and also an executable. When this help file is opened, a Russian-language text is shown and the victim is asked by User Account Control (UAC) feature in Windows to allow the access to execute an “unknown program.” If the user selects “Yes,” the ZeroT downloader is then dropped onto their system.
Similar to the earlier attacks, APT actor also has used specially crafted Word documents that are created with an exploit generator called MNKit. This Office exploit generator has allowed the researchers to find out the connections between different groups believed to be operating out from China.
The emails and files used as bait often referenced the Commonwealth of Independent States (CIS), which is an alliance of former Soviet Union countries, Russian government programs, and Russia’s defense industry.
The threat group has also used self-extracting RAR archives to deliver ZeroT. Many of these archives included an executable named “Go.exe,” which leverages the Event Viewer tool in Windows to bypass UAC.
Once it infects a system, ZeroT contacts its command and control (C&C) server, and uploads information about the infected system. ZeroT then downloads a previously known variant of the PlugX RAT, either directly as a non-encoded PE payload or as a Bitmap (.bmp) image file that uses steganography to hide the malware.