Chinese cyberespionage campaign uses new backdoor. Necro bot gains new abilities. More TeamTNT activity.

At a glance.

  • Chinese cyberespionage campaign uses new backdoor.
  • Necro bot gains new abilities.
  • More TeamTNT activity.
  • Google ads abused to deliver malware.

Chinese cyberespionage campaign uses new backdoor.

Check Point is tracking a Chinese cyberespionage campaign targeting a Southeast Asian government with a newly observed Windows backdoor. The campaign has been running for more than three years, and uses spearphishing documents created with the RoyalRoad RTF builder. The researchers note, “Searching for files similar to the final backdoor in the wild, we encountered a set of files that were submitted to VirusTotal in 2018. The files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain.”

Check Point cites the following evidence to tie the activity to a Chinese threat actor with “medium to high confidence”:

  • “The RoyalRoad RTF exploit building kit mentioned above, has been reported by numerous researchers as a tool of choice among Chinese APT groups.
  • “The C&C servers returned payloads only between 01:00 – 08:00 UTC, which we believe are the working hours in the attackers’ country, therefore the range of possible origins of this attack is limited.
  • “The C&C servers did not return any payload (even during working hours), specifically the period between May 1st and 5th – this was when the Labor Day holidays in China took place.
  • “Some test versions of the backdoor contained internet connectivity check with www.baidu.com – a leading Chinese website.
  • “Some test versions of the backdoor from 2018 were uploaded to VirusTotal from China.”

Check Point adds, “While we could identify overlaps in TTPs with multiple Chinese APT groups, we have been unable to attribute this set of activities to any known group.”

Necro bot gains new abilities.

Cisco Talos says the Necro Python bot now has the ability to exploit vulnerabilities in “more than ten different web applications and the SMB protocol.” It can also now mine Tezos cryptocurrency in addition to Monero:

“Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot. This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.

“Here, we are dealing with a self-replicating, polymorphic bot that attempts to exploit server-side software for spreading. The bot is similar to others, like Mirai, in that it targets small and home office (SOHO) routers. However, this bot uses Python to support multiple platforms, rather than downloading a binary specifically compiled for the targeted system.”

More TeamTNT activity.

Palo Alto Networks’ Unit 42 has found that the cybercriminal group TeamTNT is scraping AWS IAM and Google Cloud credentials, though the group is still primarily focused on cryptomining:

“The presence of Google Cloud credentials being targeted for collections represents the first known instance of an attacker group targeting IAM credentials on compromised cloud instances outside of AWS. While it is still possible that Microsoft Azure, Alibaba Cloud, Oracle Cloud or IBM Cloud IAM credentials could be targeted using similar methods, Unit 42 researchers have yet to find evidence of credentials from these cloud service providers (CSPs) being targeted. TeamTNT first started collecting AWS credentials on cloud instances they had compromised as early as August 2020.

“In addition to the targeting of 16 application credentials from cloud applications and platforms, TeamTNT has added the usage of the open-source Kubernetes and cloud penetration toolset Peirates to their reconnaissance operations. With these techniques available, TeamTNT actors are increasingly more capable of gathering enough information in target AWS and Google Cloud environments to perform additional post-exploitation operations. This could lead to more cases of lateral movement and potential privilege escalation attacks that could ultimately allow TeamTNT actors to acquire administrative access to an organization’s entire cloud environment.”

Google ads abused to deliver malware.

Morphisec says attackers are using Google pay-per-click ads to link to malicious packages for AnyDesk, Dropbox, and Telegram. The packages will install the Redline, mini-Redline, or Taurus infostealers. The researchers observe that the campaign would have been expensive to run, stating, “Google Adwords data between May 2020 and April 2021 shows a bid price of between $0.42 and $3.97 for the two keywords ‘anydesk’ and ‘anydesk download.’ Assuming a click-through rate of 1,000 people, this could result in fees anywhere from $420 to $3,970 for even a small campaign that targets the United States, for example.”