Chinese Threat Actor Uses New MgBot Variant in Attacks on India, Hong Kong

A Chinese threat actor was observed earlier this month targeting victims in India and Hong Kong with a new variant of the MgBot malware, Malwarebytes reports.

The attack was initially observed on July 2, in the form of an archive containing a document supposedly coming from the Indian government, but which was designed to drop a malicious template that would then load a Cobalt Strike variant.

The next day, the template would drop the MgBot loader, and Malwarebytes’ security researchers observed it leveraging the Application Management (AppMgmt) service in Windows for the execution and injection of the final payload.

Several days later, the same payload was being delivered via an archive containing a document featuring a statement that British Prime Minister Boris Johnson made about Hong Kong.

These documents, Malwarebytes says, are likely authored by a Chinese state-sponsored actor active since at least 2014, and are representative of the ongoing tensions between China and India, as well as China and Hong Kong.

The first of the attacks, likely carried out through phishing emails, abuses the dynamic data exchange (DDE) protocol to run commands encoded within the malicious document. The injected payload is a variant of Cobalt Strike.

The second attack replaces the final payload and some of the employed techniques for loading malicious scripts, but continues to use templates for malware injection. MgBot, which is featured in the third attack as well, and which is designed to fetch and execute the final payload, is employed.

MgBot, which masquerades as a Realtek Audio Manager tool, escalates privileges using a UAC bypass technique and employs anti-analysis and anti-virtualization methods. The loader would modify code sections during runtime, to prevent static analysis.

The malware would drop its payload in the form of a DLL and execute it by running the net start AppMgmt command. Next, it creates a cmd file and executes it to delete both the loader and the cmd file from the victim system.

“We were able to identify several different variants of this loader. In general, all the variants drop the final payload using expand.exe or extrac32.exe and then use ‘net start AppMgmt’ or ‘net start StiSvc’ to execute the dropped DLL,” Malwarebytes notes.

The dropped payload pretends to be a Video Team Desktop App, supposedly created in April 2018, although the threat actor appears to have tampered with the creation timestamps. The file can pretend to perform legitimate services and uses anti-debugging and anti-virtualization techniques.

The security researchers say the malware has remote access Trojan (RAT) capabilities, which its operators can leverage for logging keystrokes, taking screenshots, manipulating files and folders, manipulating processes, creating mutexes, and communicating with the command and control (C&C) server over TCP.

The threat actor uses several IP addresses to host payloads and C&C servers, with most of these located in Hong Kong. Malwarebytes believes that the threat actor used IP addresses in Hong Kong in previous campaigns as well.

The researchers also identified malicious Android apps used by the Chinese actor, including a RAT capable of recording the screen and audio, locating the device, stealing user data (contact address, call logs, SMS messages, web history), and sending SMS messages.

The tools, techniques and procedures (TTPs) used in these attacks were previously associated with Chinese threat actors such as Rancor, KeyBoy, and APT40, and Malwarebytes believes that the new attacks are the work of a Chinese APT that used a variant of MgBot in all of their previous campaigns.

Related: Chinese Hackers Target Air-Gapped Military Networks

Related: China-linked APT Hackers Launch Coronavirus-Themed Attacks

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *