The Lotus Panda is awake, again

The attack starts with a spear phishing email containing a weaponized document.
The file, written in Chinese, seems to be a reply to a call for tenders.
Its title translated in English is “Tender Documents for Centralized Procurement of Web Application Firewall (WAF) Equipment of China Mobile from 2022 to 2024”.

The Office document contains two different payloads that are hidden as document properties.
As visible in the following VBA snippet, when opening the document, the Macro code extracts the embedded data from Comments and Subject properties and writes it in the file system.
The files are written under “%Temp%rad543C7.tmp.ini” and “%Temp%rad543C7.tmp.exe”.
The VBA code is simple and short and doesn’t have trace of any obfuscation.
The file rad543C7.tmp.exe is an artifact already known to the community since the last year and it was named HexINI. It is a small executable that acts like a loader for a shellcode.
Its name comes from its characteristic to be a loader for a hex-encoded shellcode saved as INI file in the same folder. So, also in this specific case the final code is contained into the same loader file, rad543C7.tmp.ini.
In the image is shown the core of HexINI loader. It simply opens and reads the INI file using the fopen and fread functions, then converts the hexadecimal string to a byte array. Then this array is loaded into process memory space using VirtualAlloc and memcpy.
Finally, the code is executed on a new thread through the CreateThread function.

Once the shellcode is executed, it proceeds with the creation of a suspended process of svchost.exe that can inject the final beacon.

The injection mechanism uses the classic flow composed by VirtualAllocEx, WriteProcessMemory and CreateRemoteThreadEx WinApi functions.

This remote thread seems to be a sort of HTTP beacon that tries to get new commands to execute every 7899 milliseconds from https://175.27.164.228:57784/NYMLEDfq/IOH9E0Nq2YMEVQVXZgqYUAOI5wWcN5LMe
The beacon embeds the user-agent.
At first glance, the code of this artifact might look like a CobaltStrike beacon. However, after a deep analysis C25 team discovered the beacon derives from a less popular RedTeam framework known as Viper.

On the command-and-control server, using a passive approach, C25 found the presence of a Viper framework and ARL dashboards.
During the analysis it was discovered part of Naikon APT arsenal.
Starting from what analysts observed they can assert that this Chinese group is using open-source tools like Viper and ARL (Asset Reconnaissance Lighthouse).
Both tools seem to be developed by a Chinese programmer, as most of their documentation is written in Mandarin.

Viper [https://github.com/FunnyWolf/Viper]

Viper is a graphical penetration tool, which modularizes and weaponizes the tactics and technologies commonly used in the process of Intranet penetration. As stated in its Github page, Viper integrates 80+ modules, covering almost all the known Techniques (such as Resource Development, Initial Access, Execution, Persistence and so on).
Like CobaltStrike, Viper allows easy payload generation, such as Meterpreter, ReverseShell and other custom beacons.

ARL [https://github.com/TophantTechnology/ARL]
ARL (Asset Reconnaissance Lighthouse) is a tool to assist security team or penetration tester to make reconnaissance and retrieval of assets, discovering existing weak points and attack surfaces.
The tool has a lot of functionalities such as port scanning and service identification, website fingerprinting, Domain name asset discovery and so on.
As visible from the Github page, the tool exposes a user-friendly Web view that make easier most of its functionalities.