South East Asian organizations have recently become a target for espionage campaigns using a previously undocumented toolset. This campaign mainly targeted defense, healthcare, and ICT sectors. Digital data suggests that this campaign started in September 2020 and continued until May 2021. This toolset includes various elements like loaders, a modular backdoor, a keylogger, and an exfiltration tool made using Dropbox.
At present, there is no clear understanding of how the initial infection vector entered the devices. The first signs of a breach occur from a loader that decrypts and loads payload from a .dat file. Investigations into this breach revealed two different file names .dat file: sdc-integrity.dat and scs-integrity.dat. This loader used the DumpAnalyze directory to export from the decrypted payload, routed from a modular backdoor.
An “Orchestrator” module indicates a separate DLL module with at least 16 functions, custom binary command and control (C&C) protocol facilitating Orchestrator actions but implemented separately. This module works as a core backdoor component. Operating as a Windows service and a DLL service functions as a key element is loaded from registry (located in HKEY_CLASSES_ROOT\.z\OpenWithProgidsEx\<value_name_resolved_at_runtime>).
The module loads a encrypted configuration from a file (CSIDL_COMMON_APPDATA\Microsoft\Crypto\RSA\Keys.dat) or a registry (HKEY_CLASSES_ROOT\.z\OpenWithProgidsEx\CONFIG). The module initiates a function Decrypt_ByteToByte from a separate DLL to decrypt the configuration, which contains the following options: FLAG, Ip, Dns, CntPort, LstPort, Blog, DropboxBlog, SvcName, SvcDisp, SvcDesc, SvcDll, OlPass, OlTime, SelfDestroy.
The module bears a hardcoded mutex name, Global\QVomit4. This espionage campaign also uses tools such as a keylogger, seemingly authored by the same developer since they share unique strings with extra tools and string obfuscation techniques. A lightweight 7-Zip archiver, 7zr used on top of the data-exfiltration tool for sending stolen data to Dropbox.
All evidence linked with this campaign points to espionage. The researchers are still looking for an identity to validate, and it seems the hackers took steps to avoid being identified. The researchers do not know the group’s active language, and the backdoor module remnants have traces of Cyrillic and Urdu scripts.
At present, the only link here is a similar tool used by the China-linked Leafhopper group (aka APT30) at around the same time. So there are no clear indicators of the actual agents behind this campaign.