Chinese APT Groups are Targeting Russia

SentinelOne reported that they identified Chinese APT groups are attacking to Russian organizations in several sectors like telecommunications and government.

The attacks start with phishing emails including Office documents to exploit targets in order to deliver their RAT (Remote Access Trojan) called Bisonal. These phishing emails spoofing RU-CERT, the country’s cybersecurity incident response center.

The documents exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office, to install the embedded malware.

On June 22nd 2022, CERT-UA – Ukraine’s CERT – also publicly shared some of these documents that are created with a tool called ‘Royal Road’.

Timeline of Royal Road Malicious Documents – Source:

Tonto Team APT Group: The attack was associated with the Tonto Group by SentinelOne. They are a Chinese group firstly reported near 2013. We have identified that they targeted South Korean National Security entities, Japanese chemical organizations, and also Russian government again in the past.

Malicious Document Example of Related Activity – Source:

CVE-2018-0798: This is a stack-based buffer overflow vulnerability exists within the Microsoft Equation Editor (eqnedt32.exe) in Microsoft Office. It is a high risky and exploitable vulnerability. When exploited, the attacker can remotely execute arbitrary code. We have seen this vulnerability has been exploited widely in the past.

IoCs of Related Activity:

f599ed4ecb6c61ef2f2692d1a083e3bb040f95e66/21/2022 Royal Road Document”Вниманию.doc”
cb8eb16d94fd9242baf90abd1ef1a5510edd29966/16/2022  Royal Road Document “Вниманию.doc”
41ebc0b36e3e3f16b0a0565f42b0286dd367a3526/15/2022 (Estimate) Royal Road Document”Анкетирование Агентства по делам государственной службы.rtf”
2abf70f69a289cc99adb5351444a1bd23fd973846/20/2022 Royal Road Document”17.06.2022_Протокол_МРГ_Подгруппа_ИБ.doc”
supportteam.lingrevelat[.]comC2 Domain
upportteam.lingrevelat[.]comC2 Domain for cb8eb16d94fd9242baf90abd1ef1a5510edd2996
2b7975e6b1e9b72e9eb06989e5a8b1f6fd9ce0276/21/2022 Royal Road Document”О_формировании_проекта_ПНС_2022_файл_отображен.doc”
a501fec38f4aca1a57393b6e39a52807a7f071a46/21/2022 Royal Road Document”замечания таблица 20.06.2022.doc”
415ce2db3957294d73fa832ed844940735120bae6/23/2022 Royal Road Document”Пояснительная записка к ЗНИ.doc”
news.wooordhunts[.]comC2 Domain for 415ce2db3957294d73fa832ed844940735120bae
137.220.176[.]165IP Resolved for C2 Domains news.wooordhunts[.]com supportteam.lingrevelat[.]com upportteam.lingrevelat[.]com
1c848911e6439c14ecc98f2903fc1aea63479a9f6/23/2022 Royal Road Document”РЭН 2022.doc”
91ca78231bcacab0d5e6194041817b96252e65bf5/12/2022 Phishing Email File
f444ff2386cd3ada204c3224463f4be310e5554a5/12/2022 Royal Road Document”Please help to Check.doc”
instructor.giize[.]comC2 Server for f444ff2386cd3ada204c3224463f4be310e5554a

Leave a Reply