Delaware, USA – February 7, 2020 – A Chinese cyberespionage group conducts targeted spear-phishing campaign to compromise systems of Malaysian government officials and exfiltrate sensitive data. Malaysia’s Computer Emergency Response Team issued a security advisory warning about an increase in number of victims involving the campaign. APT40 (also known as Leviathan and TEMP.Periscope) members send phishing emails containing malicious Office documents attached or a link to the document hosted on Google Drive. In this campaign, cybersecurity experts observed that adversaries disguise as journalists, individuals from a trade publication, or someone from a relevant military organization or non-governmental organization. Microsoft documents contain macro exploiting a long time ago patched vulnerabilities (CVE-2014-6352 and CVE-2017-0199) to extract malicious binary and download the final payload. “The group’s operations tend to target government-sponsored projects and take large amounts of information specific to such projects, including proposals, meetings, financial data, shipping information, plans and drawings, and raw data,” stated in the security advisory.
Despite the fact that the group responsible for these attacks is not directly indicated in the text, Malaysian CERT has published links pointing at APT40. The group has been active since at least 2014 targeting primarily defense and government organizations in the United States, Western Europe, and Asia region. APT40 is one of the most advanced Chinese state-sponsored cyber-espionage units, in addition, the group previously masked its activity using the techniques of other groups.You can explore techniques used by APT40 in MITRE ATT&CK section and find content for their detection: https://tdm.socprime.com/att-ck/