The Lotus Panda is awake, again

The attack starts with a spear phishing email containing a weaponized document.
The file, written in Chinese, seems to be a reply to a call for tenders.
Its title translated in English is “Tender Documents for Centralized Procurement of Web Application Firewall (WAF) Equipment of China Mobile from 2022 to 2024”.

The Office document contains two different payloads that are hidden as document properties.
As visible in the following VBA snippet, when opening the document, the Macro code extracts the embedded data from Comments and Subject properties and writes it in the file system.
The files are written under “%Temp%rad543C7.tmp.ini” and “%Temp%rad543C7.tmp.exe”.
The VBA code is simple and short and doesn’t have trace of any obfuscation.
The file rad543C7.tmp.exe is an artifact already known to the community since the last year and it was named HexINI. It is a small executable that acts like a loader for a shellcode.
Its name comes from its characteristic to be a loader for a hex-encoded shellcode saved as INI file in the same folder. So, also in this specific case the final code is contained into the same loader file, rad543C7.tmp.ini.
In the image is shown the core of HexINI loader. It simply opens and reads the INI file using the fopen and fread functions, then converts the hexadecimal string to a byte array. Then this array is loaded into process memory space using VirtualAlloc and memcpy.
Finally, the code is executed on a new thread through the CreateThread function.

Once the shellcode is executed, it proceeds with the creation of a suspended process of svchost.exe that can inject the final beacon.

The injection mechanism uses the classic flow composed by VirtualAllocEx, WriteProcessMemory and CreateRemoteThreadEx WinApi functions.

This remote thread seems to be a sort of HTTP beacon that tries to get new commands to execute every 7899 milliseconds from https://175.27.164.228:57784/NYMLEDfq/IOH9E0Nq2YMEVQVXZgqYUAOI5wWcN5LMe
The beacon embeds the user-agent.
At first glance, the code of this artifact might look like a CobaltStrike beacon. However, after a deep analysis C25 team discovered the beacon derives from a less popular RedTeam framework known as Viper.

On the command-and-control server, using a passive approach, C25 found the presence of a Viper framework and ARL dashboards.
During the analysis it was discovered part of Naikon APT arsenal.
Starting from what analysts observed they can assert that this Chinese group is using open-source tools like Viper and ARL (Asset Reconnaissance Lighthouse).
Both tools seem to be developed by a Chinese programmer, as most of their documentation is written in Mandarin.

Viper [https://github.com/FunnyWolf/Viper]

Viper is a graphical penetration tool, which modularizes and weaponizes the tactics and technologies commonly used in the process of Intranet penetration. As stated in its Github page, Viper integrates 80+ modules, covering almost all the known Techniques (such as Resource Development, Initial Access, Execution, Persistence and so on).
Like CobaltStrike, Viper allows easy payload generation, such as Meterpreter, ReverseShell and other custom beacons.

ARL [https://github.com/TophantTechnology/ARL]
ARL (Asset Reconnaissance Lighthouse) is a tool to assist security team or penetration tester to make reconnaissance and retrieval of assets, discovering existing weak points and attack surfaces.
The tool has a lot of functionalities such as port scanning and service identification, website fingerprinting, Domain name asset discovery and so on.
As visible from the Github page, the tool exposes a user-friendly Web view that make easier most of its functionalities.

Sign Up For Threat Alerts

Loading...
Threats Icon

May 25, 2022

Twisted Panda: Chinese APT espionage operation against...

Check Point Research (CPR) details a targeted campaign that has been using sanctions-related baits to...

Threats Icon

May 23, 2022

A deeper look at XorDdos malware targeting...

In the last six months, we observed a 254% increase in activity from a Linux...

Threats Icon

May 22, 2022

Ransomware Spotlight RansomEXX

RansomEXX is another ransomware variant that runs on a ransomware-as-a-service (RaaS) model and has been...

Threats Icon

May 19, 2022

Malicious Compiled HTML Help File Delivering Agent...

PaloAlto Unit42 discovered a malicious HTML help file delivering Agent Tesla. The attack is interesting...

Threats Icon

May 16, 2022

BPFdoor: Stealthy Linux malware bypasses firewalls for...

A recently discovered backdoor malware called BPFdoor has been stealthily targeting Linux and Solaris systems...

Threats Icon

May 16, 2022

Onyx ransomware destroys files instead of encrypting...

A new Onyx ransomware operation is destroying files larger than 2MB instead of encrypting them,...

Threats Icon

May 15, 2022

Researchers Warn of Nerbian RAT Targeting Entities...

A previously undocumented remote access trojan (RAT) written in the Go programming language has been...

Threats Icon

May 12, 2022

Bitter APT targets Bangladesh

Cisco Talos has observed an ongoing malicious campaign from the Bitter APT group that appears...

Threats Icon

May 11, 2022

Experts Sound Alarm on DCRat Backdoor Being...

Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka...

Threats Icon

May 09, 2022

Moshen Dragon – Abusing Security Software to...

SentinelLabs recently uncovered a cluster of activity targeting the telecommunication sector in Central Asia, utilizing...

Threats Icon

May 09, 2022

AvosLocker Ransomware Abuses Driver File to Disable...

TrendMicro found samples of AvosLocker ransomware that makes use of a legitimate driver file to...

Threats Icon

May 02, 2022

LockBit Ransomware Side-loads Cobalt Strike Beacon

The VMware command line utility VMwareXferlogs.exe used for data transfer to and from VMX logs...

Threats Icon

May 02, 2022

Emotet Returns With New TTPs And Delivers...

The epoch4 Emotet server started spamming and delivering zipped .lnk files to its victims through...

Threats Icon

Apr 28, 2022

BRONZE PRESIDENT

Government-sponsored threat actors collect intelligence to benefit their country, and changes to the political landscape...

Threats Icon

Apr 27, 2022

New SysJoker Backdoor Targets Windows, Linux, and...

Malware targeting multiple operating systems has become no exception in the malware threat landscape. SysJoker...