Check Point Research (CPR) has identified and blocked an ongoing surveillance operation targeting a Southeast Asian government. The attackers, believed to be a Chinese threat group by CPR, systematically sent weaponised documents, that impersonated other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs.
CPR suspects that the purpose of the operation is espionage through the installation of a previously unknown backdoor into the Windows software running on personal computers of victims. After the backdoor is installed, the attackers can collect nearly any information they want, as well as take screenshots and execute additional malware on a target’s personal computer. CPR’s investigation revealed that the attackers have been testing and refining its Windows backdoor tool for at least the past three years.
- Attackers began by sending weaponised documents, impersonating other entities within the same government, to multiple members of the target government’s Ministry of Foreign Affairs
- Attackers developed, tested and deployed a new cyber espionage weapon, specifically a Windows backdoor with the internal name “VictoryDll_x86.dll”, capable of collecting nearly any information the attackers want
- Surveillance operation placed significant effort into avoiding detection by limiting its working hours and changing its infrastructure multiple times
Lotem Finkelstein, Head of Threat Intelligence at Check Point Software Technologies commented, “All the evidence points to the fact that we are dealing with a highly-organised operation that placed significant effort into remaining under the radar. Every few weeks, the attackers used spear-phishing emails, laced with weaponised versions of government-themed documents, to try and create a foothold into the Ministry of Foreign affairs of the target country. This means that the attackers first had to attack another department within the targeted state, stealing and weaponising documents for use against the Ministry of Foreign Affairs. All in all, the attackers, who we believe to be a Chinese threat group, were very systematic in their approach.
Ultimately, our investigation led to the discovery of a new Windows backdoor, in other words a new cyber espionage weapon, that the Chinese threat group has been developing since 2017. The backdoor was formed and reformed time and time again over the course of three years, before it was used in the wild. This backdoor is far more intrusive and capable of collecting a vast amount of data from an infected computer. We learned that the attackers are not only interested in cold data, but also what is happening on target’s personal computer at any moment, resulting in live espionage. Although we were able to block the surveillance operation for the Southeast Asian government described, it’s possible that the threat group is using its new cyber espionage weapon on other targets around the world.”