FortiGuard Labs, the research division of Fortinet has unearthed a backdoor malware campaign against Chinese speakers. The attack exploits a watering hole strategy where the malware is delivered through a hacked Chinese news site. Researchers mull that the campaign is in an experimental phase as several different techniques and tools are being deployed by the hackers to target end-users.
“We first discovered this backdoor malware campaign in 2017, and over the years it has continued to upgrade its functionalities.” states a release on FortiGuard Labs.
The hackers are using exploiting known vulnerabilities on WinRAR and RTF files. The flaws have been identified as cve-2018-20250 and cve-2017-11882 respectively. The biggest victim of the hack currently is the Chinese news website. Hackers have even able to obtain the legitimate domain and have been spreading backdoors to the PCs of readers of the site.
If any computer is vulnerable, a WinRAR flaw is used to hide a .ace file as a regular .rar and another conf.exe file which is then extracted and triggered for spreading. The conf.exe has the trojan called Sality which loads a malicious DLL which can send data to the hacker’s server. “The Sality-infected backdoor payload is the same as the download qq.exe. We find that both the backdoor malware code and the Sality code are running when the malware is executed. We also observed the following connections when this sample runs, though we haven’t observed any further activities from the Sality C2 servers,” FortiGuard Labs pointed.
While the company has analyzed the functionalities of the malware and the C2 (attacker’s servers), the trojan is dynamic and has been adding new and more robust functionalities that are aimed at improving the malware’s ability to steal information and data from users.