Stories
Slash Boxes
Comments

SoylentNews is people

Multiple Chinese Groups Share the Same RTF Weaponizer

posted by Fnord666 on Friday July 05 2019, @11:21PM   Printer-friendly
from the no-windows-file-is-safe dept.

upstart writes:

Submitted via IRC for Carny

Multiple Chinese Groups Share the Same RTF Weaponizer

During an investigation into a possibly shared RTF[*] weaponizer by Indian and Chinese APT[**] groups, researchers have discovered that multiple Chinese groups have updated the weaponizer to exploit the Microsoft Equation Editor (EE) vulnerability CVE-2018-0798. The same weaponizer had previously delivered exploits for EE vulnerabilities CVE-2017-11882 and CVE-2018-0802.

Researchers at Anomali believe that the earlier weaponizer was favored because the two vulnerabilities initially employed are easier to exploit than that used with the latter weaponizer. The CVE-2018-0798 vulnerability, however, has the advantage of affecting all versions of EE. The earliest sample of an RTF file with this vulnerability exploited in the wild dates back to October 2018.

Weaponizers are scripts used to inject a malicious RTF object into a pre-crafted RTF phishing document. Anomali has been investigating whether multiple groups are using the same supply chain for their weaponizer. A weaponizer can be recognized through shared object dimensions across weaponized exploits within the delivered RTF files. The actor can be recognized through different post-exploitation behaviors.

Anomali has detected numerous Chinese actors sharing the same new RTF weaponizer, which they all updated at around the same time. These include Goblin Panda (aka Conimes), KeyBoy (aka APT 23), Emissary Panda (aka APT27), Rancor Group, and Temp.Trident (aka Icefog).

[...] The conclusions from Anomali's research confirm that there is a strong sharing culture among Chinese groups. The first weaponizer was used exclusively by Chinese state actors for about a year before it began to be used by cybercriminals. The second weaponizer was used by the state actors for around six months before it too began to be used by cybercriminals. It's not clear whether a state actor developed the weaponizer and shared it with other groups, or whether it was developed by a third-party and supplied to the actors.

[*] RTF(Rich Text Format) is usually a safer document format. Not anymore. Maybe we should all switch to Markdown.

[**] APT: Advanced Persistent Threat

Original Submission

 
This discussion has been archived. No new comments can be posted.
Multiple Chinese Groups Share the Same RTF Weaponizer | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday July 06 2019, @12:39AM (1 child)

    by Anonymous Coward on Saturday July 06 2019, @12:39AM (#863701)

    My local Chinese restaurant just started delivering their takeout menu in .rtf format. Wonder what the Chinaman who owns the place things he will find on my PC?

  • (Score: 0) by Anonymous Coward on Saturday July 06 2019, @01:50PM

    by Anonymous Coward on Saturday July 06 2019, @01:50PM (#863804)

    Just as I was about to ask 'Really, who the fsck still uses .rtf files in the wild?' I read your post.

    I see the answer to my question is: Trolls, probably.

    (In the spirit of Trolling, someone recently asked for an editable copy of my CV, fine, says I, so they got a .lyx file..)