Recently, the Chinese APT hacker group attacked India and Hong Kong using a new Malware to steal sensitive and confidential data. This Malware has been detected on 2nd July, and experts affirmed that all the files that were compromised were archived files.
All these files were installed documents that are mimics themselves as they belong to the government of India. This malware attack was corresponding to the portion of uncertain security law in Hong Kong.
The attackers got provoke when India put a ban on 59 Chinese apps over secrecy matters, and all this decision was made after the violent attack that happened in the Indo-China border. The files that are detected in this data breach used template injection to drop an ill-disposed template, which was filled with different Cobalt Strike.
Payload Analysis: MgBot
This variant of malware is known as MgBot that had to deal and load with the final payload, as it is the new variant of the loader. This new loader poses to be a Realtek Audio Manager tool. The MgBot has a total of four resources that are embedded, and out of them, two are in Chines simplified language.
These two resources imply that this Malware belongs to the Chinese APT Hacker group. The MgBot utilizes certain anti-analysis and anti-virtualization methods; and also alters its code section while the operation is running as it has a feature of self-modifying.
The malware performs some procedure after the table of API calls, and here they are:-
- It calls CreateFileW to create iot7D6E.tmp into the %APPDATA%Temp directory.
- Next, it calls WriteFile to increase the traffic of its content.
- Then it calls CreateProcessInternalW to summon expand.exe to loosen up the content of iot7D6E.tmp into ProgramDataMicrosoftPlayReadyMSIBACF.tmptmp.dat.
- Next, it calls CopyFileW to draw tmp.dat into pMsrvd.dll
- After that, it calls DeleteFileW to eliminate the tmp.dat
- Then it separates DBEngin.EXE and WUAUCTL.EXE in the ProgramDataMicrosoftPlayReady directory.
- Lastly, it transforms the registry colony of the HKLMSYSTEMCurrentControlSetServicesAppMgmt registry location to make itself more determined.
Hackers used Spear-Phishing to Install MgBot Malware
The threat actors used different variants of MgBot malware in this data breach, and to do so, they used Spear phishing to install MgBot Malware. There are a total of 3 variants that are used in this data breach, and here they are:-
- The first variant that has been detected was “Mail security check,” along with the Cobalt strike.
- The second variant that has been detected was “Mail security check,” along with MgBot.
- The third variant that has been detected as “Boris Johnson Pledges to Admit 3 Million From Hong Kong” with MgBot.
MgBot is a Remote Administration Trojan which has various strong capabilities; here they are:-
- C2 communication over TCP
- Capacity to catch screenshots
- File and directory administrators
- Process management
- Formulate MUTEX
RAT Detected With Enhanced Skills
MgBot malware belongs to APT hackers from china, and this loader increases its rights by a CMSTP detour before installing the final payload, and it also takes steps to evade detection by debuggers and security tools.
This RAT has detected with several enhanced skills, and they are as follow:-
- It Records screen and audio utilizing the phone’s camera and mic.
- It locates the phone with coordinates.
- Help in stealing phone contacts, call logs, SMS, web history.
- And lastly, it Sends SMS messages.
During the investigation, more ill-disposed tools have been found which are related to the Android app.
Security experts have claimed that the new China APT hacker group had been actively operating since 2014, with its TTP links. And with its help, they successfully made at least three different attacks that are happened in the year of 2014, 2018, and March 2020.