What the fuzz about?
According to the vast report released in a blog by Malwarebytes, they have disclosed that a archive file with embedded document was found which was pretending to be from the Gov of India. The same framework of the file was used to drop malicious templates filled with a variant of cobalt strike. This malicious template looked of a new kind on the first observation.
What events and development occurred during this campaign?
On the next day after the suspicious looking file was found, the same attacker changed their template and dropped a loader called MgBot( name of the malware.), while executing and injecting a final file which can be considered as a payload through AppMgmt(Application Management) service available on Windows operated machines.
Some days later, on 5th July, Malwarebytes observed another similar formatted file but this time it was embedded with the statement about Hong Kong and looked like it came from UK’s prime minister Boris Johnson. On cross-checking the file thoroughly it was found that it used the same TTP’s(Tactics, Techniques, Procedures) to drop and execute the same payload found in the Indian variant.
Does this attack look like it has political connections and motive?
If you have followed news around the globe recently, then you might notice that there has been tensions between Hong Kong and China due to the new law which has been imposed forcefully in the name of national security. The citizens of Hong Kong didn’t welcomed this law very happily, instead protests erupted nationwide as a result.
On the other hand, There has been huge tensions between two Asian giants India and China due to their border dispute. This tension increased to another level when a clash was noticed between the Indian army and Chinese PLA where 20+ Indian soldiers were martyred, while on the other side similar double digits are suspected to be martyred as well(China has not disclosed the numbers, except accepting the death of 1 commanding officer of PLA.)
Looking at these tensions going on between China and India, Hong Kong it wouldn’t be surprising to believe that the attack is being operated by a Chinese state-sponsored actor. MalwareBytes believes that this group is a recent one with its activity spurring since 2014.
What can we do to avoid being targeted?
Since the uncertainty of who will be the next target of these state-sponsored, It is always wise to be prepared against such attacks. Things you can do to reduce the number of being a victim is:
- Install a trustworthy antivirus or equivalent security software for your system.
- Try to keep separate devices for your home and work. if not possible it is best to create separate user entities on same device to keep your data from mixing.
- Try to avoid shady websites, applications or services which try to offer you products/solutions for free or at a discounted price. Only trust them after thorough research.
- Always take backup of your physical hard drives. you can always use external storage like flash drives, external HDD for the same. Cloud solutions are also a best bet to do so.
- Do not download paid products for free from torrents or via other sources which is always packed with malicious pieces of codes in the back. why would anyone give you anything for free? think again.
- Do not open Mails from unknown senders. especially those emails which claims unbelievable things like a lottery. There is no such random lucky lottery nor there is any mr.simon or mr.bob who is willing to give you millions of pounds in bank.
- Always consult a good security expert regarding tips and tricks for the same. For ex, follow our website and pages on facebook, twitter and instagram to stay updated. 😉
If you want more technical details, head to read the entire report here.