Chinese APT Hackers Exploit MS Word Bug to Drop Malware Via Weaponized Coronavirus Lure Documents

Researchers uncovered a new COVID-19 Campaign launching by Chinese based APT threat actors by taking advantage of the Coronavirus scare to deliver the unknown malware in Windows.

This attack believed to initiated by the Long-running APT group that targets various government and private sectors, currents attack leverages the COVID-19 pandemic to infect the victims and trigger the infection.

Attackers also using new hacking tools in this campaign to operate attack with the suspicious RTF documents.

Collected evidence in this attack reveals that the RTF documents are weaponized using Royal Road, an RTF weaponizer that named by Anomali. Sometimes called “8.t RTF exploit builder which is mainly used here to exploit the Equation Editor vulnerabilities of Microsoft Word.

Few of the malicious documents were written in the Mongolian language, with one of them allegedly from the Mongolian Ministry of Foreign Affairs and the document contains information about the new Coronavirus infections.

Infection Vectors

Once the victim opens the malicious RTF document, the Microsoft Word vulnerability will be exploited, and the new file named intel.wll is dropped into the Word startup folder.

This is one of the new versions of the RoyalRoad weaponizer persistence technique that helps to launch all the DLL files with a WLLextension in the Word Startup folder whenever the MS word application is launched by the victim and trigger the infection chain.

Also, this technique prevents and terminates the process of malware from running in the sandbox.

After the intel.wll DLL loaded, it proceeds to download and decrypt the next stage of the infection chain from the C2 server ( 95.179.242[.]6 ).

In this next stage also a DLL file that is uncovered as the main loader of this malware framework developed by the APT actors, to gain the additional functionality from the other C2 servers.

According to the Checkpoint research ” At the final stage of the infection chain, after the appropriate command is received, the malicious loader downloads and decrypts a RAT module, also in the form of a DLL file, and loads it into memory. This plug-in like architecture might hint at the existence of other modules, in addition to the payload we received. “

Malware contains the RAT Module which contains the following core capabilities;

  • Take a screenshot
  • List files and directories
  • Create and delete directories
  • Move and delete files
  • Download a file
  • Execute a new process
  • Get a list of all services

All the C&C servers were hosted on Vultr servers and the domains were registered via the GoDaddy registrar.

Indicators of Compromise


234a10e432e0939820b2f40bf612eda9229db720 751155c42e01837f0b17e3b8615be2a9189c997a ae042ec91ac661fdc0230bdddaafdc386fb442a3 d7f69f7bd7fc96d842fcac054e8768fd1ecaa88a dba2fa756263549948fac6935911c3e0d4d1fa1f


0e0b006e85e905555c90dfc0c00b306bca062e7b dde7dd81eb9527b7ef99ebeefa821b11581b98e0 fc9c38718e4d2c75a8ba894352fa2b3c9348c3d7 601a08e77ccb83ffcd4a3914286bb00e9b192cd6 27a029c864bb39910304d7ff2ca1396f22aa32a2 8b121bc5bd9382dfdf1431987a5131576321aefb bf9ef96b9dc8bdbc6996491d8167a8e1e63283fe fcf75e7cad45099bf977fe719a8a5fc245bd66b8 0bedd80bf62417760d25ce87dea0ce9a084c163c 5eee7a65ae5b5171bf29c329683aacc7eb99ee0c 3900054580bd4155b4b72ccf7144c6188987cd31 e7826f5d9a9b08e758224ef34e2212d7a8f1b728 a93ae61ce57db88be52593fc3f1565a442c34679 5ff9ecc1184c9952a16b9941b311d1a038fcab56 36e302e6751cc1a141d3a243ca19ec74bec9226a 080baf77c96ee71131b8ce4b057c126686c0c696 c945c9f4a56fd1057cac66fbc8b3e021974b1ec6 5560644578a6bcf1ba79f380ca8bdb2f9a4b40b7 207477076d069999533e0150be06a20ba74d5378 b942e1d1a0b5f0e66da3aa9bbd0fb46b8e16d71d 9ef97f90dcdfe123ccb7d9b45e6fa9eceb2446f0 cf5fb4017483cdf1d5eb659ebc9cd7d19588d935 92de0a807cfb1a332aa0d886a6981e7dee16d621 cde40c325fcf179242831a145fd918ca7288d9dc 2426f9db2d962a444391aa3ddf75882faad0b67c 9eda00aae384b2f9509fa48945ae820903912a90 2e50c075343ab20228a8c0c094722bbff71c4a2a 2f80f51188dc9aea697868864d88925d64c26abc