RAT used by China in cyber espionage attacks

New research identified that a Chinese threat actor had been linked to targeting different countries from January to July 2021. It suggests that the exploitation involves placing Remote Access Trojans (RAT) on infected systems of Mongolia, Russia, Belarus, Canada, and the U.S.

The cybersecurity community attributes the attacks to APT31, known for its several espionage and information theft actions. According to FireEye, a company specializing in Cybersecurity investigation, the group is focused on obtaining critical information to facilitate Chinese government and state-owned enterprises with benefits related to politics, economics, and the military.

The malware seems quite similar to DropboxAES Remote access Trojan (RAT), which used the Dropbox file-sharing option for its command and control (C2) communications.  It was used by the same threat group previously with similar tactics to inject the code, achieve persistence, and employ other techniques.

Positive Technologies, the experts in vulnerability assessment, compliance management, and threat analysis solutions, highlighted that a new malware dropper was used in the attacks. This was done to get access to encrypted payloads and decode them to gain root access. It was further observed that the code was capable to allow downloading other malware, multiplying the intensity of risk by manifolds. There is also a threat to delete itself from the infected system.

In light of summaries between malicious samples in the past, researchers highlighted that the attackers are increasing their geography of attacks.