14 DAY TRIAL // A campaign targeting Russian military personnel has been observed by Proofpoint, a US-based Security-as-a-Service vendor, which it attributes to a hacking group operating out of China.
According to the company's security researchers, the group was previously tracked by its employees and other security vendors, and is known in industry circles as TA459.
Proofpoint has first observed this campaign in July 2015, claiming it's still currently raging on, also affecting telecom and financial companies associated with the military targets where the first attacks were detected.
Attackers use spear-phishing and malicious Word files
To gain access to their victim's computers, the hackers are using spear-phishing emails, aimed at military personnel, which come attached with a malicious Word document.
As Proofpoint explains, this document is configured with a special macro, which automatically executes a set of commands when the user closes the Word file, leveraging CVE-2012-0158, a very known and widely exploited Microsoft Word vulnerability.
This eventually leads to the user being infected with PlugX (Korplug), a Remote Access Trojan (RAT), which literally gives attackers full control over their victim's computer.
Once this happens, using commands received from their C&C server, the hackers start exfiltrating data from the infected computers or infect it with other malware to do more damage.
The data stolen from these attacks may easily be sold on the black market, but if the group is state-sponsored, it may be added to China's strategic intel of its North-bordering neighbor.
TA459 has ties to China, may or may not be state-sponsored
By closely looking at the RAT's Tactics, Techniques and Procedures (TTPs), Proofpoint researchers observed that most of the communications and code comments are in Chinese.
Additionally, the IP addresses used for the C&C server are based in Hong Kong, and have been previously used as early as December 2014.
TA459 has been first spotted in the wild in 2013, initially using backdoors like Saker, Netbot and DarkStRat. Most of its previous targets included military bases in Afghanistan and Tajikistan.
