Security researchers from Chinese security firm Qihoo 360 have discovered a massive hacking campaign aimed at Chinese government agencies. The campaign which is believed to be carried out by the DarkHotel APT has began in March targeting a Chinese VPN provider called SangFor, used by a number of Chinese governmental agencies. At least 200 VPN servers connecting to multiple endpoints were compromised, the threat intelligence team said.

The targets included Chinese agencies in Afghanistan, Armenia, Ethiopia, India, Indonesia, Iran, Israel, Italy, Kyrgyzstan, Malaysia, North Korea, Pakistan, Saudi Arabia, Tajikistan, Thailand, Turkey, UAE, United Kingdom and Vietnam, as well as domestic government institutions in Beijing and Shanghai.

In order to compromise Sangfor VPN servers, the threat actor exploited a vulnerability in the VPN client’s update mechanism that is triggered automatically when the VPN client connects to the server. Using this bug the attackers were able to replace a file named SangforUD.exe (this file is an update for the Sangfor VPN desktop app used to connect to Sangfor VPN servers) with a backdoored clone they created.

This allowed the hackers to plant a backdoor to the target devices and execute code via shellcode fetched from the cloud. The entire attack, researchers said, is very sophisticated and well-concealed. The shellcode gathers system information and sends it to the command and control server. In the second stage, the backdoor will install malicious DLL components, which persist in the system by hijacking the printer service.

The security firm reported the zero-day vulnerability to Sangfor on April 3, the vendor confirmed that Sangfor VPN servers running firmware versions M6.3R1 and M6.1 are vulnerable.

DarkHotel is an advanced persistent threat group that is believed to be operating from East Asia. Active since at least 2007, DarkHotel APT has been known for a long-running series of cyber espionage campaigns against corporate executives, government agencies, defense industry, electronics industry and other important sectors in China, North Korea, Japan, Myanmar, Russia and other countries.