An emerging threat actor out of China has been traced to a new hacking campaign aimed at government agencies in India and residents of Hong Kong intending to steal sensitive information, cybersecurity firm Malwarebytes revealed in the latest report shared with The Hacker News.
The attacks were observed during the first week of July, coinciding the passage of controversial security law in Hong Kong and India’s ban of 59 China-made apps over privacy concerns, weeks after a violent skirmish along the Indo-China border.
Attributing the attack with “moderate confidence” to a new Chinese APT group, Malwarebytes said they were able to track their activities based on the “unique phishing attempts” designed to compromise targets in India and Hong Kong.
The operators of the APT group have leveraged at least three different Tactics, Techniques, and Procedures (TTPs), using spear-phishing emails to drop variants of Cobalt Strike and MgBot malware, and bogus Android applications to gather call records, contacts, and SMS messages.
“The lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China,” the firm said.
Using Spear-Phishing to Install MgBot Malware
The first variant, observed on July 2, alerted recipients with the “gov.in” domain stating some of their email addresses had been leaked and that they are to complete a security check before July 5.
The emails come attached with a “Mail security check.docx” purportedly from the Indian Government Information Security Center. Upon opening, it employs template injection to download a remote template and execute a heavily obfuscated variant of Cobalt Strike.
images from Hacker News