Chinese hackers attack government targets via Google Drive

Chinese hackers attack government targets via Google Drive

According to Trend Micro researchers , a Chinese hacker group known as Mustang Panda , has attacked several targets located in Australia, Japan, Taiwan, among others. Victims were mainly government, research and academic entities, and the attack vector was Google accounts used to send Google Drive links via email to deliver customized malware.

Researchers state that the hackers sent messages of a geopolitical nature, in fact 84% of the emails were addressed to organizations of a legal type or related to public bodies. The link contained in the emails directed the victims to a folder on Google Drive or Dropbox , in order to bypass the security mechanisms, due to the positive reputation of both services.

if (jQuery("#crm_srl-th_hardware_d_mh2_1").is(":visible")) { //console.log("[ACTIVATION TEST] adding zone: tag crm_srl-th_hardware_d_mh2_1 slot id: th_hardware_d_mh2"); } if (jQuery("#crm_srl-th_hardware_d_bx2_1").is(":visible")) { //console.log("[ACTIVATION TEST] adding zone: tag crm_srl-th_hardware_d_bx2_1 slot id: th_hardware_d_bx2"); } Attack methodology - Source: Trend Micro Once the links were opened, compressed files were downloaded in RAZ, ZIP or JAR format, which contained malware such as ToneShell , ToneIins and PubLoad . An interesting aspect is that instead of adding the victims' email addresses to the "To" field, the hackers used fake emails, while the real addresses were entered in the "CC" field, in this way it was possible to evade the analysis of security and hinder the investigation.

Of the three malware delivered to victims, PubLoad is a stager and allows you to create a permanent presence via registry keys and scheduled tasks, decrypt shell code, and manage communications to C2 servers. ToneIns is a ToneShell installer, i.e. the main backdoor, that exploits obfuscation by implementing custom handlers for security exceptions. The backdoor also doesn't work in debug environments, so it was designed to avoid sandboxed scans.

if (jQuery("#crm_srl-th_hardware_d_mh3_1").is(":visible")) { //console.log("[ACTIVATION TEST] adding zone: tag crm_srl-th_hardware_d_mh3_1 slot id: th_hardware_d_mh3"); }