Over the last several months, Chinese-linked hackers have been targeting a Southeast Asian government using simple spearphishing emails and hundreds of malicious documents with a focus on consistently changing their tactics to avoid detection, according to Check Point research.
The most noteworthy part of the hackers’ months-long campaign is their perpetually changing tactics, according to Michael Abramzon, the cyber research team lead at Check Point. While watching the group over the last seven months, it has been consistently able to install PowerShell-based backdoors onto victim machines via spearphishing emails laced with malicious documents.
The group, known as Rancor group, used different delivery methods and payloads in order to do so every couple of months. In December, the group was sending documents to victims containing a macro code that eventually downloaded a malicious installer (an MSI payload) from the group’s server, which then installed a PowerShell script. But between January and March, the group started sending a new kind of malicious macro and omitted the MSI payload, while still installing a PowerShell backdoor.
Over time, the hackers also began installing a Chrome.js file to mimic a Google Chrome update to confuse victims into thinking files they clicked were normal. They have also dropped an Avast Antivirus executable to further disguise their activities.
The group, which Check Point believes is of Chine ..
Support the originator by clicking the read the rest link below.
