Novel ‘Victory’ Backdoor Spotted in Chinese APT Campaign

2021-06-07 18:49

Researchers said, is the novel backdoor, which they said has been in development by a Chinese APT for at least three years.

A multi-stage chain eventually results in the installation of the backdoor module, which is called "Victory." It "Appears to be a custom and unique malware," according to Check Point.

"The files were named by the author as MClient and appear to be part of a project internally called SharpM, according to their PDB paths. Compilation timestamps also show a similar timeframe between July 2017 and June 2018, and upon examination of the files, they were found to be older test versions of our VictoryDll backdoor and its loaders chain."

Check Point has attributed the campaign to a Chinese APT. One of the clues is that the first-stage C2 servers are hosted by two different cloud services, located in Hong Kong and Malaysia.

On top of that, the RoyalRoad RTF exploit building kit is a tool of choice among Chinese APT groups; and some test versions of the backdoor contained internet connectivity check with www.

"We unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than three years," Check Point concluded.

News URL

https://threatpost.com/victory-backdoor-apt-campaign/166700/

#APT #backdoor #chinese

News URL

Related news