Chinese-linked hacking group gets crafty to avoid detection

Over the last several months, Chinese-linked hackers have been targeting a Southeast Asian government using simple spearphishing emails and hundreds of malicious documents with a focus on consistently changing their tactics to avoid detection, according to Check Point research.

The most noteworthy part of the hackers’ months-long campaign is their perpetually changing tactics, according to Michael Abramzon, the cyber research team lead at Check Point. While watching the group over the last seven months, it has been consistently able to install PowerShell-based backdoors onto victim machines via spearphishing emails laced with malicious documents.

The group, known as Rancor group, used different delivery methods and payloads in order to do so every couple of months. In December, the group was sending documents to victims containing a macro code that eventually downloaded a malicious installer (an MSI payload) from the group’s server, which then installed a PowerShell script. But between January and March, the group started sending a new kind of malicious macro and omitted the MSI payload, while still installing a PowerShell backdoor.

Over time, the hackers also began installing a Chrome.js file to mimic a Google Chrome update to confuse victims into thinking files they clicked were normal. They have also dropped an Avast Antivirus executable to further disguise their activities.

The group, which Check Point believes is of Chinese origin and has been active since at least 2017, has targeted five government agencies, Abramzon said. The attackers were able incentivize their targets to click and download malicious payloads by spoofing legitimate emails from embassies or other government entities, using lures that appear to concern legitimate government business.

They have “made it harder to connect the dots,” by “spoofing emails that look like other legitimate government organizations,” Abramzon said.

Abramzon would not reveal which government is the target.

Attribution clues

Check Point assesses that the hackers are likely Chinese because the metadata for some of the malicious documents contain Chinese language artifacts. Additionally, the campaign wasn’t active during this year’s Chinese New Year and Spring Festival.

Researchers also point out the command and control servers used in the attacks were only available during hours that are working hours in countries located in Asia.

But exactly what the hackers’ motives are remains unclear; researchers don’t have visibility into their goals because they don’t have visibility into the operation beyond the first few payloads and backdoors that get downloaded onto victim machines.

“This is the first stage of getting … inside the machine,” Abramzon clarified. “At this point [hackers] have access to the machine.”

Some clues about the attackers’ ultimate aims may lie in the infrastructure the perpetrators have used. Abramzon says the infrastructure used in their attacks and in this particular campaign have a strong connection.

Palo Alto Networks’ research group, Unit 42, has previously assessed Rancor likely conducts espionage for political purposes against Southeast Asian targets.

As far as infrastructure connection goes, these attacks in the last year are connected to Rancor group via multiple DNS hops, according to Check Point. The PowerShell code used in these attacks is also linked with a known command and control IP address used by the Rancor group.

“We had actually multiple connections in the infrastructure. This … is a relatively strong connection,” Abramzon said.

Just as in this campaign exposed by Check Point, Rancor has traditionally used politically-oriented lures to trick victims into clicking on malicious documents. Likely Rancor targets in the past have included political targets in Cambodia and Singapore, according to Palo Alto Networks.