Rewterz Threat Alert – Chinese APT Group Targets Southeast Asian Government

Severity

High

Analysis Summary

An ongoing surveillance operation has been identified targeting the Southeast Asian government. The attackers use spear-phishing to gain initial access and leverage old Microsoft Office vulnerabilities together with the chain of in-memory loaders to attempt and install a previously unknow backdoors on victim’s machine. The investigation shows the operation was carried out by a Chinese APT group that has been testing and refining the tools in its arsenal for at least 3 years. Analyzing the backdoor’s code evolution since its first appearance in the wild showed how it transformed from a single executable to a multi-stage attacks, making it harder to detect and investigate.

Impact

• Unauthorized Access
• Information Theft
• Code Execution

Indicators of Compromise

Filename

• Thông cáo báo chí Kỳ họp thứ nhất của Ủy ban Kiểm tra Trung ương khóa XIII[.]docx
• main[.]jpg
• 5[.]t

IP

• 45[.]91[.]225[.]139
• 107[.]148[.]165[.]151
• 45[.]121[.]146[.]88

MD5

• 1e9f1746c2dbea0df5017afdf8b94189
• d598749a8c86b1cdd313ff6c86626c86
• d843b58f31c687d22de09a6765b3ba3b
• 8bcea4940166222eff5c4ed897e5cccf
• 31565db2614bb5de2baf1a5c07771860
• 24448ffdb1a8ba9a9202a9c7178301c4
• fc51ba4706ac462d2fec8ba2be04dc1d
• 494a01d421997040de3583b3e08212a7
• f706f042c1953a9cea932d3cd770b2ad
• eff68f1096ae56ae94f439a8e5effe3d
• 0c60fd2da77df00a80c669496cb5467e
• 15ffce860b16959a369a6522bf47fa09
• 5214c519a69f7f0d14bb355cb711e868
• 6531661748e8d4533f5550b9f2997187
• 166e020accb40a0ea17fd2912ec02f19

SHA-256

• 6f66faf278b5e78992362060d6375dcc2006bcee29ccc19347db27a250f81bcd
• 0c346972a2ccebb2642ced34213f43595896da233f06f6251967517ae342908f
• d198c4d82eba42cc3ae512e4a1d4ce85ed92f3e5fdff5c248acd7b32bd46dc75
• 928f540c9658a458edc649371e178a7c83e2a9291f5b23ae326c3d64bfa902c6
• 4cc521b470d08c9684cd15ffac032accd50439b81873ee2d87897ab8c495744b
• 0e8fb748cd58ab2fa754e2fa16e4390327a10593ca72bb6a3b90a1885cbe5387
• 2d18300d1e8f56c340ed4d4b04e2dcbd6f3eb63436e9f95f2c2c07673a7647f9
• 674238469f6efd8a284c62df33d44734459dc66e7b0c223fd6a2fed97bc1c3a9
• 15d011ecee762c383f81930dad741426993910fd9939de1742f786a5aea2ba50
• a13b6aa6882e82860ff7b10ab6fe1a3d259aa63e9ed97239572a9a2ba16bc791
• b40476638c83b8800413cf1fe88e28c2486367b79d1ddae7eb1ddcfa75ceb0e3
• e1105e0aea484f5a3b37ff5143ba2d7be9d1eb17ef1da5c4725be0c415513289
• ec7237bc31b59204bd543b76677cd16007237cab6fbf22e266e1e3361849a4ba
• 0f7ff0a977d69421f1e06b5a44b5bdaeab2b15ee768127d200c1b5cc366e0968
• 5732cefa7ac96b2aa76ccd5849bbc1e47cb3e76c0d44f8491c47b1b1793604b4

SHA1

• f9d958c537b097d45b4fca83048567a52bb597bf
• 417e4274771a9614d49493157761c12e54060588
• 176a0468dd70abe199483f1af287e5c5e2179b8c
• aa5458bdfefe2a97611bb0fd9cf155a06f88ef5d
• 4da26e656ef5554fac83d1e02105fad0d1bd7979
• f8088c15f9ea2a1e167d5fa24b65ec356939ba91
• 0726e56885478357de3dce13efff40bfba53ddc2
• 7855a30e933e2b5c3db3661075c065af2e40b94e
• 696a4df81337e7ecd0ea01ae92d8af3d13855c12
• abaaab07985add1771da0c086553fef3974cf742
• 7a38ae6df845def6f28a4826290f1726772b247e
• e16b08947cc772edf36d97403276b14a5ac966d0
• c81ba6c37bc5c9b2cacf0dc53b3105329e6c2ecc
• a96dfbad7d02b7c0e4a0244df30e11f6f6370dde
• 6f5315f9dd0db860c18018a961f7929bec642918

Remediation

• Block all threat indicators at their respective controls.
• Look for IOCs in your environment.