Security Experts:

Connect with us

Hi, what are you looking for?



Recently Patched .NET Flaw Exploited by China-Linked Cyberspies

A cyber espionage group previously linked to China has been using a recently patched .NET vulnerability in attacks aimed at organizations in the United States, including a shipbuilding company and a university research center with ties to the military.

A cyber espionage group previously linked to China has been using a recently patched .NET vulnerability in attacks aimed at organizations in the United States, including a shipbuilding company and a university research center with ties to the military.

The threat actor, known for its use of a remote access trojan (RAT) named NanHaiShu, has been active since at least 2014. In the past years, it has targeted various U.S. and Western European organizations with ties to the maritime sector, including naval defense contractors and research institutions.

A report published last year by F-Secure detailed attacks launched by the group against the participants of a Permanent Court of Arbitration case focusing on a dispute between China and the Philippines over the South China Sea.

F-Secure did not directly attribute the attacks to the Chinese government, but researchers found several pieces of evidence suggesting that the NanHaiShu malware had Chinese origins.

The latest round of attacks attributed to this group were observed by researchers at Proofpoint in mid-September. Experts noticed that the attacker sent spear-phishing emails to a U.S. shipbuilding company and a U.S. university research center with ties to the military.

The emails carried documents designed to exploit CVE-2017-8759, a .NET vulnerability patched by Microsoft just days before the attacks were launched. At the time when Microsoft released fixes, the flaw had already been exploited by a Middle Eastern threat actor to deliver spyware.

Proofpoint has also seen attacks launched by the cyber espionage group in early August. These attacks exploited CVE-2017-0199, an Office vulnerability that had also been exploited in attacks when Microsoft released a patch for it back in April.

The attacks targeted several defense contractors and they involved malicious Microsoft Publisher files, PowerPoint presentations, and domains set up to mimic ones belonging to an important provider of military ships and submarines. Researchers from other companies also analyzed these attacks and some pointed out that many of the targets were in South Korea.

In addition to NanHaiShu, the attackers have used a backdoor dubbed “Orz,” which has been spotted in both old attacks and ones launched in August 2017, loaders such as SeDLL and MockDLL, and the Cobalt Strike penetration testing tool.

In some cases, researchers noticed that the attackers used one organization’s compromised email accounts to send malicious attachments to others in the same industry. The hackers also used hijacked servers for command and control (C&C).

“The tools, techniques, and targets consistently connect their work, particular given their attention to naval and maritime defense interests and use of custom backdoors,” Proofpoint researchers said in a blog post. “While defense contractors and academic research centers with military ties should always be cognizant of the potential for cyberattacks, organizations fitting their targeting profiles should be especially wary of legitimate-looking but unsolicited emails from outside entities.”

Related: China-linked KHRAT Operators Adopt New Delivery Techniques

Related: Hackers Target Prominent Chinese-Language News Sites

Related: China-Linked Spies Use Recent Zero-Day to Target Financial Firms

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.