Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Malicious Document Builder Used in East Asia APT Attacks

Researchers at Arbor Networks’ Security Engineering and Response Team (ASERT) have identified what they believe to be a tool used in advanced persistent threat (APT) attacks aimed at various entities in East Asia.

Researchers at Arbor Networks’ Security Engineering and Response Team (ASERT) have identified what they believe to be a tool used in advanced persistent threat (APT) attacks aimed at various entities in East Asia.

An analysis of a dozen incidents from a larger set of activity has led experts to believe that the malicious Rich Text File (RTF) documents used by threat actors in their attacks were all created using the same builder.

The attacks analyzed by ASERT were part of long-running APT campaigns aimed at the Tibetan community, journalists and human rights groups in Taiwan and Hong Kong, and Uyghurs. The operations involved pieces of malware known as Kivars, PlugX, Gh0stRAT, T9000, Graber and Agent.XST.

According to researchers, these threats were primarily delivered to victims via spear-phishing emails that contained a malicious RTF document with the .doc extension. Interestingly, these files were each set up to exploit 2-4 vulnerabilities and Arbor Networks believes they might have been created with a weaponized document builder which it has dubbed “Four Element Sword.”

The Four Element Sword builder is capable of embedding code for four different Microsoft Office arbitrary code execution exploits. Two of the flaws, CVE-2012-0158 and CVE-2012-1856, were first discovered in 2010 and patched by Microsoft in 2012, while the other two, CVE-2015-1641 and CVE-2015-1770, were resolved last year. While some of these exploits are very old, researchers believe they could still be useful against certain groups that might be using older systems.

Four Element Sword Builder

For each of the 12 attacks it analyzed, Arbor Networks made connections to malware and infrastructure observed in other attacks — most notably a campaign aimed at the World Uyghur Congress and an operation dubbed by Trend Micro “Shrouded Crossbow.”

The types of targets, the pieces of malware used, overlaps in infrastructure and connections to previous campaigns suggest a link to China. ASERT has found evidence that the campaigns leveraging malicious RTF documents are ongoing.

According to researchers, the Four Element Sword builder has also been used by cybercriminals. In the cybercrime operations observed by the security firm, which will be detailed in an upcoming report, 2-3 of the Office exploits were integrated in each document.

Advertisement. Scroll to continue reading.

Coinciding with ASERT’s report, the University of Toronto’s Citizen Lab disclosed the details of a cyber espionage campaign targeting Hong Kong democracy activists. The operation described by Citizen Lab is related to the threat activity detailed by ASERT.

Related: Malware Used by China APT Group Abuses Dropbox

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.