Chinese-speaking hacker group spies in Afghanistan, Kyrgyzstan and Uzbekistan
Security experts at Check Point Research (CPR), the threat intelligence division of Check Point® Software Technologies Ltd. (NASDAQ: CHKP), have uncovered an ongoing espionage operation targeting the Afghan government.
The threat actors, assigned to a Chinese-language grouping, posed as the office of the Afghan president to infiltrate the Afghan National Security Council (NSC). They used the data exchange service provider Dropbox to disguise their activities. CPR believes this is the latest case of a long-running operation that dates back to 2014 and has also fallen victim to the governments of Kyrgyzstan and Uzbekistan.
In April 2021, an official of the National Security Council of Afghanistan received an email allegedly from the Office of the President of Afghanistan. She asked the recipient to review the changes in the document in connection with an upcoming press conference of the NSC.
Chain of infection begins with deception
The espionage can be summarized in the following steps:
- Sending an e-mail under the guise of a high-level institution of the government, in this case a ministry.
- The threat actors add an archive file that contains malware but pretends to be a legitimate attachment. In this case, the email contained a password-protected RAR archive called the NSC Press conference.rare.
- The extracted file, NSC Press conference.exe, acts as a malware dropper. The content of the bait email suggests that the attached file is the desired document. To dispel the victim’s doubts about running an EXE file instead of an expected Word file, the attackers use a simple trick: the first document on the user’s desktop is automatically opened by the EXE file when the dropper is executed. This act acts as a delusion. Regardless of whether the dropper found a document to open on the desktop at all or not, a backdoor is set up for spying.
- This backdoor communicates with a configured and for each victim own folder on Dropbox. This serves as an address from which the backdoor retrieves further commands and where it stores the stolen information.
Figure: Presentation of the infection pathway (source Check Point Research 2021)
The threat actors use the Dropbox API to mask their malicious activities because there is no communication with conspicuous websites. The backdoor created by the threat actors creates a unique folder for the victim in a Dropbox account controlled by the attacker. If the threat actors need to send a file or command to the victim’s computer, place it or them in the folder named “d” in the victim’s Dropbox folder. The malware retrieves this folder and downloads all its contents to the working folder. The backdoor provides persistence because it sets a registry key that is designed to run every time a user logs in.
Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software Technologies
Lotem Finkelsteen, Head of Threat Intelligence at Check Point Software adds: “The detection of cyber espionage remains our top priority. This time, we discovered an ongoing spear phishing campaign targeting the Afghan government. We have reason to believe that Uzbekistan and Kyrgyzstan have also been victims and attribute our findings to a Chinese-speaking threat actor. It is noteworthy here how the hackers used the tactic of deception from ministry to ministry. This tactic is vicious and effective when it comes to getting someone to do something rash. In addition, it is noteworthy how the threat actors abuse Dropbox to evade detection. It is possible that other countries have also been targeted by this group, although we do not know how many or which countries. Therefore, in our technical blog post, we share a list of other possible domains used in the attack, in the hope that their names can be used by other cyber researchers as a contribution to our own findings.“