Summary:
An extensive series of attacks used new Windows malware to backdoor government entities and organizations in the defence industry from several countries in Eastern Europe. Kaspersky linked the campaign with a Chinese APT group tracked as TA428, known for its information theft and espionage focus and attacking organizations in Asia and Eastern Europe. The threat actors successfully compromised the networks of dozens of targets, sometimes even taking control of their entire IT infrastructure by hijacking systems used to manage security solutions. To achieve their goal, the Chinese cyberspies used spear phishing emails containing confidential information about the targeted organizations and malicious code exploiting the CVE-2017-11882 Microsoft Office vulnerability to deploy PortDoor malware. Like the other families used in this campaign, the new backdoor allows the attackers to collect and steal system information and files from compromised systems. To deliver CotSam, the attackers went as far as to include a vulnerable version of Microsoft Word together with the payload.[/subscribe_to_unlock_form]
Summary:
An extensive series of attacks used new Windows malware to backdoor government entities and organizations in the defence industry from several countries in Eastern Europe. Kaspersky linked the campaign with a Chinese APT group tracked as TA428, known for its information theft and espionage focus and attacking organizations in Asia and Eastern Europe. The threat actors successfully compromised the networks of dozens of targets, sometimes even taking control of their entire IT infrastructure by hijacking systems used to manage security solutions. To achieve their goal, the Chinese cyberspies used spear phishing emails containing confidential information about the targeted organizations and malicious code exploiting the CVE-2017-11882 Microsoft Office vulnerability to deploy PortDoor malware. Like the other families used in this campaign, the new backdoor allows the attackers to collect and steal system information and files from compromised systems. To deliver CotSam, the attackers went as far as to include a vulnerable version of Microsoft Word together with the payload.[emaillocker id="1283"]
References:
The following reports contain further technical details:
[/emaillocker]