Attackers Leverage ‘COVID-19’ Scare to Target Mongolian Public Sector With RAT Module

  • Chinese threat actors sent weaponized RTF documents to their targets in the Mongolian public sector organizations.
  • The RTF documents are weaponized with newer versions of RoyalRoad.

Threat actors have started leveraging the ongoing ‘COVID-19’ scare as a lure to trick organizations. One such malware campaign has been identified by Check Point researchers.

What does the report say?
Check Point Research has uncovered a new campaign that takes advantage of the current Coronavirus scare to target the Mongolian public sector. A close look at the campaign reveals that it is carried out by the same anonymous group, dating back to at least 2016.

Researchers claim that the group has targeted various government and private sectors previously.

Infection vector
The attack begins with RTF documents sent to the Mongolian public sector. The documents are written in the Mongolian language, with one of them from the Mongolian Ministry of Foreign Affairs. These documents contain information about the new COVID-19 infections.

These RTF files are weaponized with newer versions of RoyalRoad. RoyalRoad is sometimes called ‘8.t RTF exploits builder which is mainly used here to exploit the Equation Editor vulnerabilities of Microsoft Word.

Once the victim opens the malicious RTF document, RoyalRoad exploits the vulnerability in the Microsoft Word and later drops a new file named intel.wll into the Word startup folder.

These newer versions of RoyalRoad utilizes the persistence technique to launch all the DLL files with a WLLextension in the Word Startup folder.

Final stage
At the final stage of the infection chain, the malicious loader downloads and decrypts a RAT module which is also in the form of a DLL file. The RAT module is loaded into memory and include various functionalities like:

  • Taking screenshots;
  • Listing files and directories;
  • Creating and deleting directories;
  • Moving and deleting files;
  • Downloading a file;
  • Executing a new process;
  • Getting a list of all services.

An extensive analysis of the TTPs used by threat actors has revealed that all the C2 servers are hosted on Vultr servers and the domains are registered via the GoDaddy registrar.