Victory Backdoor Targeting Southeast Asian Governments

Victory Backdoor Targeting Southeast Asian Governments

A surveillance operation launched by SharpPanda APT group is active right now and targeting a Southeast Asian government. The campaign is using a previously unknown malware backdoor now identified as Victory. According to researchers, malware has been under development for the past three years.

The multi-stage infection chain


According to Check Point Research, attackers are using spear-phishing emails laden with malicious Word documents to gain initial access. They are also exploiting older Office security vulnerabilities.
The malicious documents were sent to various employees of a government entity in Southeast Asia. In some cases, the emails are spoofed, pretending to be sent from other government-related entities.
The attachments with these emails are weaponized copies of legitimate-looking official documents and use a remote template method to start the next stage from the attacker’s server.
The malicious documents download a template from multiple URLs, which are .RTF files created with RoyalRoad weaponizer - a tool for creating maldocs that exploit Equation Editor’s vulnerabilities.
The RoyalRoad-generated RTF document has a shellcode and an encrypted payload. To decrypt the payload from the package, the APT group uses the RC4 algorithm with the key 123456 and drops a DLL file.

Victory backdoor


The multi-stage chain ultimately results in the installation of the backdoor module, identified as Victory. It steals information and provides attackers with consistent access to the victim.
It can take screenshots, manipulate files (such as deleting, creating, reading, and renaming them), collect information on the top-level opened windows, and shut down the computer.
Additionally, it can get TCP/UDP tables, CD-ROM drives data, registry keys info, and victim’s comput ..