Security Experts:

Multiple Chinese Groups Share the Same RTF Weaponizer

During an investigation into a possibly shared RTF weaponizer by Indian and Chinese APT groups, researchers have discovered that multiple Chinese groups have updated the weaponizer to exploit the Microsoft Equation Editor (EE) vulnerability CVE-2018-0798. The same weaponizer had previously delivered exploits for EE vulnerabilities CVE-2017-11882 and CVE-2018-0802.

Researchers at Anomali believe that the earlier weaponizer was favored because the two vulnerabilities initially employed are easier to exploit than that used with the latter weaponizer. The CVE-2018-0798 vulnerability, however, has the advantage of affecting all versions of EE. The earliest sample of an RTF file with this vulnerability exploited in the wild dates back to October 2018.

Weaponizers are scripts used to inject a malicious RTF object into a pre-crafted RTF phishing document. Anomali has been investigating whether multiple groups are using the same supply chain for their weaponizer. A weaponizer can be recognized through shared object dimensions across weaponized exploits within the delivered RTF files. The actor can be recognized through different post-exploitation behaviors.

Anomali has detected numerous Chinese actors sharing the same new RTF weaponizer, which they all updated at around the same time. These include Goblin Panda (aka Conimes), KeyBoy (aka APT 23), Emissary Panda (aka APT27), Rancor Group, and Temp.Trident (aka Icefog).

However, from June 2019, the researchers started to find multiple commodity campaigns (mostly dropping AsyncRAT, an open source RAT for Windows) also using the newer updated weaponizer with the same exploit (CVE-2018-0798). The earlier weaponizer (with CVE-2017-11882 and CVE-2018-0802) had been used exclusively by Chinese state actors from December 2017 to December 2018. After that, cybercriminal actors had started to incorporate it into their own criminal activity. This suggests that the author of the weaponizer has expanded his market from Indian and primarily Chinese state groups to the wider group of cybercriminals.

With so many different actors using the same weaponizer with CVE-2018-0798, Anomali has found multiple exploitation techniques to drop malicious payloads. Goblin Panda has employed OLE package objects and DLL sideloading; the Rancor Group has used OLE package objects and VBScript Execution; and Emissary Panda has dropped a '.wll' file in the MS Word startup folder.

The conclusions from Anomali's research confirm that there is a strong sharing culture among Chinese groups. The first weaponizer was used exclusively by Chinese state actors for about a year before it began to be used by cybercriminals. The second weaponizer was used by the state actors for around six months before it too began to be used by cybercriminals. It's not clear whether a state actor developed the weaponizer and shared it with other groups, or whether it was developed by a third-party and supplied to the actors.

"When we began this research, our focus on the malicious RTF weaponizer and groups using them led us to suspect that these APTs, which typically work in silos, were collaborating or sharing the same supply chain. We realized that this is the case after observing that all of the groups updated their weaponizers to use new exploits at almost the same time," said Anomali threat Intelligence researcher Ghareeb Saad. "This observation is significant. It shows that these threat actors have exploit developing capabilities and are operating together. Such a move could help them to become more efficient and effective."

The researchers added, "This may indicate that the Chinese groups sold the exploit after using it in their malicious campaigns.

These findings also suggest that the threat groups have robust exploit developing capabilities because CVE-2018-0798 is not widely reported on and it is typically not incorporated into publicly available weaponizers."

Silicon Valley-based Anomali, which provides a SaaS-based threat intelligence platform, was founded in 2013 by Colby DeRodeff and Greg Martin. In April 2016 it raised $30 million in a series C funding round, led by Institutional Venture Partners (IVP). It raised a further $40 million in a Series D round in January 2018, bringing the total raised to date to $96.3 million.

Related: New Malware Lays P2P Network on Top of IPFS 

Related: Malicious RTF Documents Deliver Information Stealers 

Related: Malicious RTF Persistently Asks Users to Enable Macros 

Related: Patchwork Cyberspies Target U.S. Think Tanks 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.