Tag Archives: China

Chinese APT Groups are Targeting Russia

SentinelOne reported that they identified Chinese APT groups are attacking to Russian organizations in several sectors like telecommunications and government.

The attacks start with phishing emails including Office documents to exploit targets in order to deliver their RAT (Remote Access Trojan) called Bisonal. These phishing emails spoofing RU-CERT, the country’s cybersecurity incident response center.

The documents exploit CVE-2018-0798, a remote execution vulnerability in Microsoft Office, to install the embedded malware.

On June 22nd 2022, CERT-UA – Ukraine’s CERT – also publicly shared some of these documents that are created with a tool called ‘Royal Road’.

Timeline of Royal Road Malicious Documents – Source: http://www.sentinelone.com

Tonto Team APT Group: The attack was associated with the Tonto Group by SentinelOne. They are a Chinese group firstly reported near 2013. We have identified that they targeted South Korean National Security entities, Japanese chemical organizations, and also Russian government again in the past.

Malicious Document Example of Related Activity – Source: http://www.sentinelone.com

CVE-2018-0798: This is a stack-based buffer overflow vulnerability exists within the Microsoft Equation Editor (eqnedt32.exe) in Microsoft Office. It is a high risky and exploitable vulnerability. When exploited, the attacker can remotely execute arbitrary code. We have seen this vulnerability has been exploited widely in the past.

IoCs of Related Activity:

IOCDescription
f599ed4ecb6c61ef2f2692d1a083e3bb040f95e66/21/2022 Royal Road Document”Вниманию.doc”
cb8eb16d94fd9242baf90abd1ef1a5510edd29966/16/2022  Royal Road Document “Вниманию.doc”
41ebc0b36e3e3f16b0a0565f42b0286dd367a3526/15/2022 (Estimate) Royal Road Document”Анкетирование Агентства по делам государственной службы.rtf”
2abf70f69a289cc99adb5351444a1bd23fd973846/20/2022 Royal Road Document”17.06.2022_Протокол_МРГ_Подгруппа_ИБ.doc”
supportteam.lingrevelat[.]comC2 Domain
upportteam.lingrevelat[.]comC2 Domain for cb8eb16d94fd9242baf90abd1ef1a5510edd2996
2b7975e6b1e9b72e9eb06989e5a8b1f6fd9ce0276/21/2022 Royal Road Document”О_формировании_проекта_ПНС_2022_файл_отображен.doc”
a501fec38f4aca1a57393b6e39a52807a7f071a46/21/2022 Royal Road Document”замечания таблица 20.06.2022.doc”
415ce2db3957294d73fa832ed844940735120bae6/23/2022 Royal Road Document”Пояснительная записка к ЗНИ.doc”
news.wooordhunts[.]comC2 Domain for 415ce2db3957294d73fa832ed844940735120bae
137.220.176[.]165IP Resolved for C2 Domains news.wooordhunts[.]com supportteam.lingrevelat[.]com upportteam.lingrevelat[.]com
1c848911e6439c14ecc98f2903fc1aea63479a9f6/23/2022 Royal Road Document”РЭН 2022.doc”
91ca78231bcacab0d5e6194041817b96252e65bf5/12/2022 Phishing Email File
f444ff2386cd3ada204c3224463f4be310e5554a5/12/2022 Royal Road Document”Please help to Check.doc”
instructor.giize[.]comC2 Server for f444ff2386cd3ada204c3224463f4be310e5554a
Source: http://www.sentinelone.com

China’s Plan to Stop Using Foreign-Branded PCs

With the Russian occupation of Ukraine and the subsequent sanctions, foreign dependency issues began to come to the fore in all countries and sectors. Lastly, China has ordered to replace foreign-branded computers with nationally developed ones in two years.

The primarily reason of the measures are to reduce the dependence on rivals such as the U.S. for everything from semiconductors to servers and phones, and will be applied firstly to central government agencies and state-backed corporations.

The Chinese authorities are expected to plan to replace at least 50 million devices at the central government level alone. It seems like if successful, this decision will create serious problems on producers like Dell, HP, and others.

Source: Bloomberg