Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

China-Linked Spies Use Recent Zero-Day to Target Financial Firms

A cyber espionage group has targeted analysts working at major financial firms using a recently patched Microsoft Office vulnerability, Proofpoint reported last week.

A cyber espionage group has targeted analysts working at major financial firms using a recently patched Microsoft Office vulnerability, Proofpoint reported last week.

The threat actor, tracked by the security firm as TA459, has been active since at least 2013 and it’s believed to be operating out of China. The cyberspies have been known for using malware such as NetTraveler (aka TravNet), PlugX, Saker, Netbot, DarkStRat, and ZeroT in attacks aimed at organizations in Russia and neighboring countries.

Proofpoint recently detailed a series of attacks launched by the group against military and aerospace organizations in Russia and Belarus.

On April 20, researchers spotted a campaign aimed at global financial firms operating in Russia and neighboring countries. Given that the attacks were apparently aimed at analysts covering the telecommunications industry, experts believe this latest operation is likely a continuation of a similar campaign first analyzed in the summer of 2015.

In the recent attacks, TA459 sent out spear-phishing emails containing a Word document set up to exploit a recently patched remote code execution vulnerability tracked as CVE-2017-0199. The attackers started leveraging this flaw just days after Microsoft released a fix.

When the malicious document is opened, an HTML application (HTA) file disguised as an RTF document is downloaded. PowerShell is then used to download and execute a script that fetches and runs the ZeroT downloader.

ZeroT was analyzed by Proofpoint when it investigated the recent attacks aimed at military and aerospace organizations, but some changes and improvements have been made in the latest version. One of the changes is the use of a legitimate McAfee utility for sideloading instead of a Norman Safeground utility.

While ZeroT is the threat actor’s most common first stage payload, the second payload includes various pieces of malware. In recent attacks, Proofpoint noticed both PlugX and a Trojan tracked as PCrat/Gh0st, which is used less often by the group.

Advertisement. Scroll to continue reading.

“Multinational organizations like the financial services firms targeted here must be acutely aware of the threats from state-sponsored actors working with sophisticated malware to compromise users and networks,” Proofpoint researchers explained. “Ongoing activity from attack groups like TA459 who consistently target individuals specializing in particular areas of research and expertise further complicate an already difficult security situation for organizations dealing with more traditional malware threats, phishing campaigns, and socially engineered threats every day.”

The fact that the threat actor has used CVE-2017-0199 in its operation is not surprising. The flaw had been exploited by several groups before Microsoft released a patch for it, and others, including Iranian hackersstarted using it shortly after its existence came to light.

Related: China-Linked “DragonOK” Group Expands Operations

Related: Chinese Hacking Group Linked to NetTraveler Espionage Campaign

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.