This attack is suspected to be launched by the Long-running APT community attacking separate government and private sectors, and the new attack leverages the COVID-19 pandemic to manipulate the victims and cause the outbreak. Attackers also use modern malware methods in this effort to attack suspected RTF papers. Collected information in this assault shows that the RTF records are fitted with Royal Road, an RTF armorer called Anomali. Often named’ 8.t RTF exploit creator, which is primarily used here to manipulate the bugs of the Microsoft Word Equation Editor. Few malicious documents have been published in Mongolian, one of them allegedly from the Ministry of Foreign Affairs of Mongolia, and the paper includes information on recent Coronavirus infections.

Infection Vectors

When the user opens a malicious RTF text, the Microsoft Word bug will be abused and the new file called intel.wll will be moved to the Word initialization tab.

It is one of the latest variants of the RoyalRoad Armor Persistence Technique that allows to open all DLL files with a WLL extension in the Word Startup folder if the user launches an MS Word program and causes an infection chain. Even, this strategy eliminates and avoids the malicious cycle from operating in the sandbox. After the intel.wll DLL is enabled, the next step of the infection chain is downloaded and decrypted from the C2 server (95.179.242[.]6). During this next point, the DLL script, which is exposed as the main loader of this malware platform built by the APT perpetrators, can obtain additional functionality from the other C2 servers. It is one of the latest variants of the RoyalRoad arsenal persistence strategy that allows to open all DLL files with a WLL extension in the Word Startup folder once the user opens the MS Word program and starts the infection chain. Even, this strategy eliminates and avoids the malicious cycle from operating in the sandbox. After the intel.wll DLL is enabled, the next step of the infection chain is downloaded and decrypted from the C2 server (95.179.242[.]6). During this next point, the DLL script, which is exposed as the main loader of this malware platform built by the APT perpetrators, can obtain additional functionality from the other C2 servers. Malware includes the RAT module comprising the following key capabilities;

Take a screenshot List files and directories Create and delete directories Move and delete files Download a file Execute a new process Get a list of all services

Both C&C servers were hosted on Vultr servers and domains were registered through the GoDaddy registry.

Indicators of Compromise

RTFs: DLLs: RAT:

Checkpoint Reported that Chinese APT Hackers Exploit MS Word Bug to Drop Malware   Cybers Guards - 37Checkpoint Reported that Chinese APT Hackers Exploit MS Word Bug to Drop Malware   Cybers Guards - 96