China-Backed APT Group Reportedly Targets India, Hong KongResearchers: Recently Uncovered Hacking Group Has Been Operating Since 2014
A hacking group that appears to have ties to the government of China has been targeting victims in India and Hong Kong, according to a report released this week by the security firm Malwarebytes.
This unnamed advanced persistent threat group appears to have been operating in secret since 2014, according to the report. The group's recent activity has targeted two areas that have recently found themselves in conflict with China.
The Malwarebytes Threat Intelligence Team has attributed these recent attacks with "moderate confidence" to the unnamed hacking group, which uses a little-known Trojan called MGBot as part of its toolset.
Malwarebytes cited the ongoing tensions between India, Hong Kong and the Chinese government as one reason for linking the APT group's activities to China. The attacker's social engineering tactics included using fraudulent government documents and messaging designed to encourage the targets in India and Hong Kong to open the malicious attachments to install malware, according to the report.
The first hacking incident associated with these recent campaigns took place on July 2, targeting Indian and Hong Kong government agencies. This date coincides with the implementation by the Chinese government of new security laws in Hong Kong, and with India banning 59 China-made apps over privacy concerns and military activity along the India-China border, according to researchers at Malwarebytes.
"The lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China," the Malwarebytes researchers note.
The Malwarebytes researchers were able to track the hacking group's activities between July 2 and 5 based on "unique phishing attempts" that they detected. These were designed to compromise systems belonging to India and Hong Kong government agencies, according to the report.
On July 2, the researchers discovered an archive file that came with an embedded document portrayed as coming from the Indian government. The email, which claimed to have originated with the Indian Government Information Security Center, alerted recipients that their email accounts had been compromised and they would need to complete a security check before July 5, according to the report.
Once opened, the document used several template injections to download a remote template that then installed a malicious version of Cobalt Strike, which can give a hacker remote access and control over an infected device (see: Spear-Phishing Campaign Uses Military-Themed Document).
The downloaded template used the dynamic data exchange protocol to execute malicious commands, which are encoded within the document’s content. DDE is an inter-process communication system which allows data to be shared between the applications in older versions of Windows.
Additional Attack Vectors
The APT group leveraged two other tactics. It used spear-phishing emails to drop a new variant of the MgBot malware. It also used a malicious Android application to steal call records, contacts and messages, according to Malwarebytes.
The researchers also found that the APT group changed the malicious Cobalt Strike payload a day after the initial strike on July 2. The hacking group replaced it with the updated version of MgBot malware.
The researchers note, however, that they saw a third version on July 5, when operators used a different embedded document with a fake statement attributed to U.K. Prime Minister Boris Johnson about allowing 3 million Hong Kong residents to work and live in Britain.
Researchers also found several malicious Android applications that they believe were part of the toolset used by this hacking group.
All these bogus Android applications contain a JAR file named "ksremote.jar" that provides remote access Trojan, or RAT, functionality. This allows for:
- Recording screen and audio using the phone’s camera and microphone;
- Locating the phone with coordinates;
- Sealing phone contacts, call log, SMS and web history;
- Sending SMS messages.
The researchers also found that the hacking group uses several IP addresses to host its malicious payloads as well as for its command-and-control communications.
The majority of IP addresses used by the operators are located in Hong Kong and are used for command-and-control communication, according to the report.
In other campaigns in 2014, 2018 and earlier this year, this same APT group appears to have used Hong Kong-based IP addresses from its malicious infrastructure, according to the report.