Chinese hackers started a new campaign using malwares and torjan’s targeting Indian government websites and individuals in HongKong. The campaign started around a week after controversial security law enacted in Hongkong and India ban on 59 chinese apps after a border clash at Indo-China border.
According to Malwarebytes >researchers Hossein Jazi and Jérôme Segura, the theme of phishing documents used to drop the malware, relating to tensions in Hong Kong and China, indicates that a Chinese cyberattack group — active since 2014. The theme was changed to MgBot, a Remote Access Torjan(RAT) from initially Cobalt Strike, a permitted pentesting toolkit on the same day the campaingn has started.
“The lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China,”
Mostly the attackers used Spear-Phishing email attack to trick users to download the malicious program. If a tricked victim downloads the phishing file and enables macros, the payload is deployed and executes, disguising itself as Realtek Audio Manager tool. The final payload is dropped via the Application Management (AppMgmt) Service on Windows. Then MgBot has an ability to link up to a command-and-control (C2) server located at Hongkong and to transfer device data, take screenshots, log keys, kill, disable, and create processes, and uses persistence mechanisms.
MgBot uses implementation of anti-analysis and anti-virtualization methods and it is able to self-modification of code, checks for existing antivirus products, and scans for virtualized environments such as VirtualBox. If a sandbox is detected, MgBot does not perform any malicious activity. MgBot poses itself as “Video Team Desktop App” to do its malicious activity.