Chinese APT group uses multiple backdoors in attacks on military and research organizations

Since early this year, a known APT group of Chinese origin has been targeting military industrial complex enterprises and public institutions in Ukraine, Russia and Belarus, as well as in other parts of the world like Afghanistan. The group, tracked in the past as TA428, has an interesting approach where it deploys up to six different backdoors on compromised targets, likely to achieve persistence and redundancy.

The targets included industrial plants, design bureaus, research institutes, and government ministries, agencies, and departments, according to researchers from antivirus vendor Kaspersky Lab, which investigated the attack campaign.

“The attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking control of systems used to manage security solutions,” the researchers said in a report. “An analysis of information obtained while investigating the incidents indicates that cyberespionage was the goal of this series of attacks.”

TA428 has a history of attacking defense targets

Out of the six backdoor programs used in the latest campaign, five have previously been used by the Chinese cyberespionage group TA428. This group has targeted defense-related organizations in Russia and Mongolia last year, and some of those attacks have been documented by other security firms at the time.

However, there is a lot of code and tool sharing among Chinese APT groups, especially those believed to be associated with the Chinese government, so multiple groups might use some of the backdoor programs: PortDoor, nccTrojan, Logtu, Cotx, and DNSep. “We believe that the series of attacks that we have identified is highly likely to be an extension of a known campaign that has been described in Cybereason, DrWeb and NTTSecurity research and has been attributed with a high degree of confidence to APT TA428 activity,” the Kaspersky researchers said.

In addition to the backdoor programs themselves, there is also overlap in techniques and even command-and-control servers used by TA428 in the past, as well as some indirect evidence.

Targeted phishing with malicious documents

The initial infection vector consists of carefully crafted spear-phishing emails directed at employees of the targeted organizations. Some of these emails contained operational details that were specific to each targeted organization and were not publicly available, such as names of employees in charge of certain projects or internal project code names. This suggests the attackers did deep reconnaissance in advance or obtained these sensitive details from past compromises.

The spear-phishing emails had maliciously crafted Word documents attached that attempted to exploit CVE-2017-11882, a remote code execution vulnerability in the Microsoft Equation Editor, which is part of Microsoft Word. This vulnerability is also listed in CISA’s Known Exploited Vulnerabilities catalog with a patch deadline of May 3, 2022, for U.S. government agencies.

“An analysis of document metadata has shown that, with a high degree of likelihood, the attackers stole the document (while it was still legitimate) from another military industrial complex enterprise, after which they modified it using a weaponizer, a program designed to inject malicious code into documents,” the researchers said. If successful, the exploit deploys a new version of the PortDoor backdoor, which is used to collect information about the infected system, send it back to a C2 server and, if the attackers deem the system interesting, deploy additional malware. This backdoor was associated with TA428 in an older report by security firm Cybereason.

TA428’s collection of backdoors

PortDoor is then used to deploy another malicious program with backdoor functionality called nccTrojan, which provides an alternative way to control the infected system and exfiltrate interesting files from it. This Trojan has been associated with TA428 in past research by NTT Security, the security arm of Japanese telecommunications giant NTT.

As part of its lateral movement activities, the hackers were also seen deploying two backdoor programs called Cotx and DNSep on newly infected local systems. These backdoor programs are almost identical in functionality and only differ in code. Both are deployed using DLL hijacking techniques against outdated versions of McAfee SecurityCenter, the Sophos SafeStore Restore tool, and the Intel Common User Interface. DLL hijacking refers to the practice of dropping a malicious DLL in a folder that’s prioritized in a legitimate program’s library search path. This means the program will end up loading the malicious DLL if it exists with a particular name and in a particular location. The technique is meant to make detection more difficult because it’s legitimate doing the loading of the malicious code instead of a new process.

Both programs also use another detection evasion technique known as process hollowing, which involves replacing an existing program’s legitimate code in memory. Cotx injects itself into dllhost.exe, a legitimate Windows process, while DNSep is injected into the process of powercfg.exe, a power management utility.

Another backdoor used by the hackers and loaded in a similar way to Cotx and DNSep is called Logtu and has been associated with TA428 attacks in the past by Russian antivirus vendor Dr.Web.

Finally, the Kaspersky researchers detected a previously undocumented backdoor in the latest attacks. This malware program has been dubbed CotSam because it’s resembles Cotx, but it’s deployed in a significantly different way.

In one case, the attackers bundled the malware with versions of Microsoft Word — Microsoft Word 2007 for 32-bit systems and Microsoft Word 2010 for 64-bit systems — that were vulnerable to DLL hijacking. In another case, they exploited a DLL hijacking vulnerability in the applaunch.exe application, a technique used before in the ShadowPad supply chain attacks by Chinese APT Winnti (APT41).

Finally, in addition to these backdoor programs, the attackers also used the Ladon modular hacking framework for lateral movement activities, as well as the NBTscan network scanner and various manual commands. Their goal was to identify vulnerable systems on the network, collect and crack password hashes for network resources, identify users with RDP remote access, search for passwords in text files and ultimate gain access to the network’s domain controller.

Once the attackers compromise a domain controller, they dump the password hashes for all existing user identities and investigate the relationships with other domain controllers if they exist on the same network. “In the process of attacking a domain controller, the attackers obtained, among others, the password hash of the user krbtgt (Active Directory service account), enabling them to conduct an attack known as Golden Ticket,” the researchers said. “It allowed them to issue Kerberos tickets (TGT) independently and authenticate on any Active Directory service – all of this for an unlimited time.”

This attack is powerful because it allows the attackers to continue abusing an identity with Kerberos tickets even after the account has been flagged as compromised and its password has been reset.

The attackers managed to compromise dozens of organizations despite exploiting known vulnerabilities and using known detection evasion techniques and backdoor programs, so this attack campaign is likely to continue and possibly expand. Government and industrial organizations should ensure that they have the necessary security hardening and detection capabilities in place to prevent such intrusions. The Kaspersky ICS CERT report contains indicators of compromise associated with this latest campaign.