A. Nature of the Attack
The attack was observed using three newly discovered malware used on different phases of this campaign, which will lead to the deployment of NCAT to provide backdoor access to the affected system.
- Phase 1: MistCloak
MistCloak is a launcher written in C++ that executes an encrypted executable payload stored in a file on disk.
The infection chain begins when a user plugs in a compromised removable device and manually executes a renamed signed binary from the root directory of the storage volume (T1091). The initial binaries—named Removable Drive.exe or USB Drive.exe—are versions of a legitimately signed application called USB Network Gate, developed by the company Electronic Team, Inc. These are used to side-load the MISTCLOAK malware that impersonates a legitimate DLL.
- Phase 2: DarkDew
DarkDew is a dropper written in C++ that is capable of infecting removable drives.
The file usb.ini contains an encrypted DLL payload called DARKDEW that is capable of infecting removable drives. If executed from a removable drive, DARKDEW will launch explorer.exe via `explorer.exe “<drive>:\autorun.inf\Protection for Autorun”` where <drive> is a removable drive letter, such as “E”. DARKDEW will then check if either C:\ProgramData\udisk\disk_watch.exe or C:\ProgramData\udisk\DateCheck.exe exist and will create the directory C:\ProgramData\udisk if neither is found.
- Phase 3: BlueHaze
BlueHaze is a launcher written in C/C++ that launches a copy of NCAT to create a reverse shell to a hardcoded command and control (C2).
The renamed Razor application, DateCheck.exe, loads the legitimate file rzlog4cpp_logger.dll, which calls the getRoot function from the BLUEHAZE malware RzLog4CPP.dll during C runtime startup. BLUEHAZE will create a new directory called C:\Users\Public\Libraries\CNNUDTV\, then it will create the registry key value ACNTV under HKCU\Software\Microsoft\Windows\CurrentVersion\Run (T1547.001) for persistence. Next, BLUEHAZE copies all the files from its working directory to C:\Users\Public\Libraries\CNNUDTV\ and then executes a renamed NCAT executable wuwebv.exe to create a reverse shell to the hard-coded command and control (C2) address: closed[.]theworkpc[.]com:80.
B. Indicators of Compromise
A list of Indicators of Compromise can be viewed on the link below.
- Kindly refer to the official report from Mandiant.: <https://www.mandiant.com/resources/blog/china-nexus-espionage-southeast-asia>
C. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
- Having an anti-virus software and/or host-based detection tool running on the latest version is a must.
- For added security, administrators of Enterprise/SMB may consider disabling USB access for Mass Storage for all workstations.
- In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize threats.
- For additional information, kindly refer to the official report