Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Multiple Chinese Groups Share the Same RTF Weaponizer

posted by Fnord666 on Friday July 05 2019, @11:21PM   Printer-friendly
from the no-windows-file-is-safe dept.

upstart writes:

Submitted via IRC for Carny

Multiple Chinese Groups Share the Same RTF Weaponizer

During an investigation into a possibly shared RTF[*] weaponizer by Indian and Chinese APT[**] groups, researchers have discovered that multiple Chinese groups have updated the weaponizer to exploit the Microsoft Equation Editor (EE) vulnerability CVE-2018-0798. The same weaponizer had previously delivered exploits for EE vulnerabilities CVE-2017-11882 and CVE-2018-0802.

Researchers at Anomali believe that the earlier weaponizer was favored because the two vulnerabilities initially employed are easier to exploit than that used with the latter weaponizer. The CVE-2018-0798 vulnerability, however, has the advantage of affecting all versions of EE. The earliest sample of an RTF file with this vulnerability exploited in the wild dates back to October 2018.

Weaponizers are scripts used to inject a malicious RTF object into a pre-crafted RTF phishing document. Anomali has been investigating whether multiple groups are using the same supply chain for their weaponizer. A weaponizer can be recognized through shared object dimensions across weaponized exploits within the delivered RTF files. The actor can be recognized through different post-exploitation behaviors.

Anomali has detected numerous Chinese actors sharing the same new RTF weaponizer, which they all updated at around the same time. These include Goblin Panda (aka Conimes), KeyBoy (aka APT 23), Emissary Panda (aka APT27), Rancor Group, and Temp.Trident (aka Icefog).

[...] The conclusions from Anomali's research confirm that there is a strong sharing culture among Chinese groups. The first weaponizer was used exclusively by Chinese state actors for about a year before it began to be used by cybercriminals. The second weaponizer was used by the state actors for around six months before it too began to be used by cybercriminals. It's not clear whether a state actor developed the weaponizer and shared it with other groups, or whether it was developed by a third-party and supplied to the actors.

[*] RTF(Rich Text Format) is usually a safer document format. Not anymore. Maybe we should all switch to Markdown.

[**] APT: Advanced Persistent Threat

Original Submission

 
This discussion has been archived. No new comments can be posted.
Multiple Chinese Groups Share the Same RTF Weaponizer | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by RandomFactor on Saturday July 06 2019, @02:06PM

    by RandomFactor (3682) Subscriber Badge on Saturday July 06 2019, @02:06PM (#863808) Journal

    Yes, how bazaar!

    --
    В «Правде» нет известий, в «Известиях» нет правды