Security researchers believe Chinese state-sponsored hacking groups may be behind the spread of a new variant of MgBot malware in India. Over the last couple of weeks, security researchers at Malwarebytes have come across numerous malware campaigns attempting to target India and Hong Kong.
Earlier this month, researchers discovered an archive pretending to be from the Government of India. Aiming to drop the Cobalt Strike loader, the file had a malicious document embedded in it.
Attackers use Cobalt Strike to deploy malware on the victim machine. A day later, researchers found the same threat actor infecting Windows computers with malware payload, courtesy of Microsoft’s Application Management (AppMgmt) Service on Windows.
A couple of days later, researchers discovered a similar tactic employed by the same hacking group. However, the target was not India but Hong Kong this time around.
China unleashes cyberwarfare
“Considering the ongoing tensions between India and China, as well as the new security laws over Hong Kong, we believe this new campaign is operated by a Chinese state-sponsored actor. Based on our analysis, we believe this may be a Chinese APT group that has been active since at least 2014,” Malwarebytes said.
“We were able to track the activities related to these threat actors over the succession of several days based on unique phishing attempts designed to compromise their target,” researchers added.
Researchers believe hackers used spear-phishing emails to target the Indian government and individuals in Hong Kong who are against China’s new security law enactment.
How China targeted India
Hackers sent out spear-phishing emails with the .rar file attachment, which included a document with the same name. The false document used ‘Mail security check’ to lure Indian government officials into a phishing trap that was designed to compromise their target. The misleading document pretending to be from Indian Government Information Security Center had this message:
“Recently, we found that some of the email addresses of @gov.in have security problems, and some of the emails have been leaked. Please all users of @gov.in to complete the security check of emails before 2020-7-5. Thank you for your cooperation.”
The execution would ultimately inject a variant of Cobalt Strike as a remote access trojan (RAT) payload. A day later, hackers were caught using a variant of MgBot malware to infect Indian government computers. A similar MgBot malware campaign was used against Hong Kong.
The malware cloud eavesdrop on keystrokes, take screenshots, manage files and directories, process, create MUTEX, handle C2 communication over TCP, and more.
Last month, the Government of India’s Ministry of Information Technology imposed a ban on 59 Chinese apps including TikTok, UC Browser, and WeChat citing security concerns. The decision came amid the rising anti-China sentiments across the country.