A new campaign against gambling-related businesses in South East Asia has been tied to the Chinese-speaking advanced persistent danger (APT). This includes Taiwan, Hong Kong, and the Philippines.
Cybersecurity firm Avast dubbed the campaign Operation Dragon Castling, describing its malware arsenal as a “robust and modular toolset.” It is not yet clear what the ultimate motivations are of this threat actor. Nor has any connection been made to known hacking groups.
While multiple initial access avenues were employed during the course of the campaign, one of the attack vectors involved leveraging a previously unknown remote code execution flaw in the WPS Office suite (CVE-2022-24934) to backdoor its targets. Kingsoft Office has now addressed the issue.
In the case observed by the Czech security firm, the vulnerability was used to drop a malicious binary from a fake update server with the domain update.wps[.]cn that triggers a multi-stage infection chain that leads to the deployment of intermediate payloads the allows for privilege escalation before ultimately dropping the Proto8 module.
” The core module of Avast is one DLL. It is responsible for setting the malware’s working directory up, loading configuration files and updating it code. Also, beaconing to [command-and-control] server, waiting for commands, and beaconing them with plugins,” Luigino Camastra said. Jan Holman, Jan Holman, Igor Morgenstern and Luigino Camastra were Avast researchers.
Proto8’s plugin-based system used to extend its functionality enables the malware to achieve persistence, bypass user account control (UAC) mechanisms, create new backdoor accounts, and even execute arbitrary commands on the infected system.