Skip to main content

Chinese Hackers Targeting Foreign Governments Across The World.


Phishing is still one of the widely used strategies by cybercriminals and espionage groups to gain an initial foothold on the targeted systems.

Though hacking someone with phishing attacks was easy a decade ago, the evolution of threat detection technologies and cyber awareness among people has slowed down the success of phishing and social engineering attacks over the years.

Since phishing is more sort of a one-time opportunity for hackers before their victims suspect it and likely won't fall for the same trick again, sophisticated hacking groups have started putting a lot of effort, time and research to design well-crafted phishing campaigns.

In one such latest campaign discovered by cybersecurity researchers at Check Point, a Chinese hacking group, known as Rancor, has been found conducting very targeted and extensive attacks against Southeast Asian government entities from December 2018 to June 2019.


What's interesting about this ongoing 7-month long campaign is that over this period, the Rancor group has continuously updated tactics, tools, and procedures (TTP) based on its targets in an effort to come up with phishing email contents and lure documents appear being as convincing as possible.

"The observed attacks started with emails sent on behalf of employees from different government departments, embassies, or government-related entities in a Southeast Asian country," reads a report published by CheckPoint and privately shared with The Hacker News prior to its release.

"The attackers appeared determined to reach certain targets, as tens of emails were sent to employees under the same ministries. Furthermore, the emails' origin was likely spoofed to make them seem more reliable."

Continuously Evolving Tactics, Tools, and Procedures

Researchers discovered different combinations of TTP based on their timeline, delivery, persistence, and payloads, and then combined them into 8 major variants, as listed below in this article.

Each attack variant started with a classic spear-phishing email containing a malicious document designed to run macros and exploit known vulnerabilities to install a backdoor on the victims' machines and gain full access to the systems.

hacking-tools

Most of the delivery documents in this campaign contained legitimate government-related topics, like instructions for governmental employees, official letters, press releases, surveys, and more, appeared to be sent from other government officials.

Interestingly, as part of the infection chain, in most campaigns, attackers also bring their own legitimate, signed and trusted executables of major antivirus products to side-load malicious DLLs (dynamic link library) files to evade detection, especially from behavioral monitoring products.

hacking

As shown in the illustrations above, the abused legitimate executables belong to antivirus products including a component of Avast antivirus, BitDefender agent and Windows defender.

Web Application Firewall

Though the attack chains involve fileless activities like usage of VBA macros, PowerShell code, and legitimate Windows built-in tools, this campaign is not designed to achieve a fileless approach as the researchers told The Hacker News that other parts of the campaign expose malicious activities to the file system.

"To date, we have not seen such a persistent attack on a government; the same attacks were targeted for 7 months. We believe that the US Government should take note," researchers warned as the US elections are near.

"To attack the US Government, these Chinese hackers wouldn't need to change much, except making their lure documents all in English, and include themes that would trigger the interest of the victim so that the victim would open the file."

Rancor hacking group has previously been found attacking Cambodia and Singapore and continued its operations against entities within the Southeast Asia region, and this time the group has put 7 months of its effort on targeting the Southeast Asian government sector.

"We expect the group to continue to evolve, constantly changing their TTPs in the same manner as we observed throughout the campaign, as well as pushing their efforts to bypass security products and avoid attribution," the researchers conclude.

To learn more about the Rancor group and its latest campaign, you can head on to the CheckPoint report titled, "Rancor: The Year of the Phish".











Comments

Post a Comment

Popular posts from this blog

Vurra Constituency MP Adriko Yovan gets six months imprisonment for failing to repay loan.

📸: Hon Adriko Yovan. Story By Andrew Cohen Amvesi. ARUA . Yovan Adriko, the Vurra County Member of Parliament (MP) in Arua district has been committed to six months civil prison for failing to clear debts amounting to shs55,677,400. Adriko was on Thursday evening sent to Arua government prison to serve six months shortly after his arrest at Slumberland hotel in Arua City. MP Adriko warrant of committal judgement debtor to jail. Paul Mawa of T/A Vitality Associates, the court bailiff assigned to arrest the MP, duped him to come and pick some money for a land transaction at Slumberland hotel where he picked him like a baby after a long hunt. Adriko was immediately arraigned before Her Worship Karungi Leo, the Deputy Registrar of Arua High Court who later committed him to imprisonment not exceeding six months. Part of Adriko’s warrant of arrest issued b court Adriko was sent to the coolers for failing to clear shs48m which is the princip
1 comment
Read more

Arrested Arua City Officials Taken to Kampala this Night.

Wednesday 8-November-2023. 📸: The arrest of Arua City Physical Planner Mr Findru Moses on 6-Nov-2023 at around 2pm. 📸: Mr Jobile Cornelius the City Deputy town clerk who was arrested on 7-Nov-2023 at around 4pm. 📸: Mrs Lillian Aleni (in red cloth) and Mr Edoni Benard being handcuffed by police officer on 6-Nov-2023 at around 6pm. The bail that was to be issued last night 8pm 7-Nov-2023 to release the arrested City Deputy town clerk Mr Jobile Cornelius and CFO Mr Sam Adriko over mismanagement of government properties and monies was canceled, and by this time of the night 11pm, highly placed sources leaked that, all the arrested suspects (Mr Findru Moses the Arua City Physical Planner, Mr Jobile Cornelius the Deputy City clerk, Mr Adriko Sam the CFO, Mr Edoni Benard the PDM BOG Chairperson for Pangisa ward and Mrs Lillian Aleni the parish chief for Pangisa ward) are being transported by State House Anti-corruption Unit officers who will soon be reac
Post a Comment
Read more

Wedded Ayivu West MP Lematia John Fights Over Another Woman.

  📸: Hon Lematia John. By URN. Police in Arua district are investigating a case of assault and threatening violence involving the Member of Parliament for Ayivu West Constituency John Lematia and James Ariko, a DSTV technician in Arua city. Drama ensued on Easter Sunday 31-3-2024 at Dream Land Hotel located at Kuluva trading center along Arua-Nebbi highway in Arua district when the legislator and the technician engaged in a fight reportedly over a woman identified as Faith Eyotaru 25, a relationship officer at Victoria University Kampala. The scuffle started after Ayivu West Mp John Lematia went to swim at Dreamland Hotel with Faith Eyotaru only to find Ariko, who had gone to the same hotel earlier. However, upon seeing the duo coming out of the vehicle, Ariko confronted Lematia with both men claiming to be having a relationship with the lady. It took the intervention of the staff at the hotel who intervened and separated the fight between the men. Josephine Angucia, the West Nile re
Post a Comment
Read more