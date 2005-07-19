During an investigation into a possibly shared RTF weaponizer by Indian and Chinese APT groups, researchers have discovered that multiple Chinese groups have updated the weaponizer to exploit the Microsoft Equation Editor (EE) vulnerability CVE-2018-0798. The same weaponizer had previously delivered exploits for EE vulnerabilities CVE-2017-11882 and CVE-2018-0802.

Researchers at Anomali believe that the earlier weaponizer was favored because the two vulnerabilities initially employed are easier to exploit than that used with the latter weaponizer. The CVE-2018-0798 vulnerability, however, has the advantage of affecting all versions of EE. The earliest sample of an RTF file with this vulnerability exploited in the wild dates back to October 2018.

Weaponizers are scripts used to inject a malicious RTF object into a pre-crafted RTF phishing document. Anomali has been investigating whether multiple groups are using the same supply chain for their weaponizer. A weaponizer can be recognized through shared object dimensions across weaponized exploits within the delivered RTF files. The actor can be recognized through different post-exploitation behaviors.

Anomali has detected numerous Chinese actors sharing the same new RTF weaponizer, which they all updated at around the same time. These include Goblin Panda (aka Conimes), KeyBoy (aka APT 23), Emissary Panda (aka APT27), Rancor Group, and Temp.Trident (aka Icefog).

[...] The conclusions from Anomali's research confirm that there is a strong sharing culture among Chinese groups. The first weaponizer was used exclusively by Chinese state actors for about a year before it began to be used by cybercriminals. The second weaponizer was used by the state actors for around six months before it too began to be used by cybercriminals. It's not clear whether a state actor developed the weaponizer and shared it with other groups, or whether it was developed by a third-party and supplied to the actors.