Security News > 2020 > July > Chinese Threat Actor Uses New MgBot Variant in Attacks on India, Hong Kong
A Chinese threat actor was observed earlier this month targeting victims in India and Hong Kong with a new variant of the MgBot malware, Malwarebytes reports.
The next day, the template would drop the MgBot loader, and Malwarebytes' security researchers observed it leveraging the Application Management service in Windows for the execution and injection of the final payload. Several days later, the same payload was being delivered via an archive containing a document featuring a statement that British Prime Minister Boris Johnson made about Hong Kong.
These documents, Malwarebytes says, are likely authored by a Chinese state-sponsored actor active since at least 2014, and are representative of the ongoing tensions between China and India, as well as China and Hong Kong.
The security researchers say the malware has remote access Trojan capabilities, which its operators can leverage for logging keystrokes, taking screenshots, manipulating files and folders, manipulating processes, creating mutexes, and communicating with the command and control server over TCP. The threat actor uses several IP addresses to host payloads and C&C servers, with most of these located in Hong Kong.
The tools, techniques and procedures used in these attacks were previously associated with Chinese threat actors such as Rancor, KeyBoy, and APT40, and Malwarebytes believes that the new attacks are the work of a Chinese APT that used a variant of MgBot in all of their previous campaigns.
News URL
Related news
- Finland Blames Chinese Hacking Group APT31 for Parliament Cyber Attack (source)
- Threat actors are raising the bar for cyber attacks (source)
- XZ Utils Supply Chain Attack: A Threat Actor Spent Two Years to Implement a Linux Backdoor (source)
- Network Threats: A Step-by-Step Attack Demonstration (source)