An APT campaign dubbed Operation Dragon Castling has been targeting betting companies in Southeast Asian countries. The campaign has similarities with several old malware samples used by an unspecified Chinese-speaking APT group.
What has happened?
The researchers who spotted the attacks discovered two infection vectors being used to spread malware.
- One is an infected installer and another is abusing a legitimate application, WPS Office.
- The attackers are suspected to have abused CVE-2022-24934 vulnerability in the WPS Office updater wpsupdate1[.]exe.
- One of the malicious files used in this campaign is the MulCom backdoor that is believed to be loaded by a malicious file, CorePlugin.
Different components at work
The infection includes multiple components such as Dropper 1, Dropper 2, Loader (CoreX), and Proto8 (Core module). Every component is used to accomplish different goals and tasks for the attackers.
- Dropper 1 (QMSpeedupRocketTrayStub64[.]dll): The first dropper is a backdoor that communicates with C2 and performs several preparational operations.
- Dropper 2 (IcbcLog): The second dropper is a runner that escalates privileges via the COM Session Moniker Privilege Escalation (MS17-012) and drops a few binaries, as well.
- Loader (CoreX): It is a DLL that is side-loaded with Dropper 2 and acts as a dropper.
- Proto8 (Core module): A single DLL that is responsible for setting up MulCom backdoor’s working directory, loading configuration files, and other actions.
A connection with FFRat
The researchers have spotted notable code similarities between the MulCom backdoor and FFRat malware samples, discovered in 2015 and 2017. This indicates that FFRat code is being used by multiple Chinese APT groups and researchers were not able to attribute them to any specific APT group.
Conclusion
Operation Dragon Castling is yet another campaign by a Chinese-speaking APT group using a robust and modular toolset to target its victims. Thus, organizations are suggested to update used OS and applications with the latest security patches. Further, use a reliable anti-malware solution with behavior-based detection.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_343998182.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_43163012_MEDIUM.jpg)
