In July 2020 we observed an APT campaign that targeted India and Hong Kong using a new variant of the MgBot malware. In this campaign, the actor used several advanced TTPs to perform its operations, such as:
- Squiblydoo: using regsvr32.dll to load a COM scriptlet directly from the Internet and execute it to bypass application whitelisting.
- UAC bypass through the use of the CMSTPLUA COM interface.
- File download using CertUtil.
- Process injection through the use of the Application Management (AppMgmt) Service on Windows.
- Execution through Module Load (using a dropped variant of rundll32.exe to execute the payloads).
Our research into this campaign led us to uncover a new Chinese APT group that we believe has been active since at least 2014. Based on the contents of the document used by this campaign, which are aligned with Chinese government interests, we believe it is likely that this actor is being sponsored by the government of China.
This group is capable of using different techniques to initiate its attacks. We observed that the actor has used malicious documents weaponized with macros or DDE to target victims. The group has also used vulnerabilities in Microsoft Office
and VBScript engine (CVE-2012-0158 and CVE-2018-8174) to perform its attack. This APT group is capable of developing its own malware, such as MgBot, as well as using commercial tools like CobaltStrike in its attacks. We also have identified that this group has developed an Android
RAT called Ksremote to target mobile users.
In this talk we will provide more details about the activities of this APT group, including its campaigns, toolsets, TTPs and the infrastructure used by this actor.