Chinese Hackers Installing Malware on Government Networks via Google Drive

Research sector targeted in new spear phishing attack using Google Drive

The attackers gain access to the network through decoy documents covering controversial geo-political topics to lure the targeted organizations into downloading and executing the malware.

According to Trend Micro researchers, a Chinese government-sponsored advanced persistent threat (APT) group has launched spear-phishing attacks to target education, government, and research sectors worldwide.

The report is unsurprising as earlier this year, researchers linked Google Drive to 50% of malicious MS Office document downloads.

Campaign Details

The attackers are delivering custom malware stored in Google Drive. The attacks were discovered between March and October 2022. The primary targets of the group were located in Japan, Australia, Myanmar, Taiwan, and the Philippines. For your information, the espionage group has been active since July 2018.

Chinese Hackers Installing Malware on Government Networks via Google Drive

How does the Attack Works?

The attackers gain access to the network through decoy documents covering controversial geo-political topics to lure the targeted organizations into downloading and executing the malware.

In some instances, the phishing messages were sent from email accounts that were previously compromised and belonged to specific entities to enhance the success ratio of this campaign. The archive files display a lure document to the victim.

However, in the background, it loads malware through DLL side-loading. Eventually, the attacker delivers three malware families to download the next-stage payloads. The main backdoor they use is TONESHELL, installed via the TONEINS shellcode loader.

Chinese Hackers Installing Malware on Government Networks via Google Drive

The attackers bypass security mechanisms by embedding link points to a Dropbox or Google Drive folder. These links redirect to download compressed files such as ZIP, RAR, and JAR with custom malware strains like PubLoad and TONESHELL.

“Once the group has infiltrated a targeted victim’s systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved.”

Nick Dai, Vickie Su, Sunny Lu – Trend Micro

Who is the Attacker?

Researchers claim that the group responsible for the attacks has been identified as Mustang Panda, also known as TA416, Red Lich, Earth Preta, HoneyMyte, and Bronze President. Mustang Panda prefers using China Chopper and PlugX malware to collect data from compromised systems.

In its report, Trend Micro noted that Mustang Panda continually evolves its attack tactics to evade detection and use infection methods that allow them to deploy bespoke malware families such as PUBLOAD, TONEINS, and TONESHELL.

  1. Chinese Hackers Hiding Malware in Windows Logo
  2. APT Groups Trapping Targets with Clever Twitter Scheme
  3. Chinese Hackers Distributing Malware in SMS Bomber Tool
  4. Windows, Linux and macOS Users Targeted by Chinese hackers
  5. Microsoft disrupts activity of Chinese hackers by seizing 42 websites
Related Posts