Hackers believed to have ties to the Vietnamese government have been engaged in a spearphishing campaign aimed at Chinese state organizations responsible for managing the situation during the coronavirus pandemic in search of the information related to COVID-19 crisis.
According to FireEye, the hacking group Ocean Lotus, also known as APT32, has been targeting members of the Wuhan government (where it is believed the pandemic started) and Chinese Ministry of Emergency Management with spear phishing emails since at least January to April 2020.
While APT32 has been known for its targeted attacks against Asian entities, FireEye believes this recent attempt is part of an overall increase in coronavirus-related cyberespionage activity by nations seeking solutions and nonpublic information.
First attacks were observed in early January when the hackers sent a spearphishing email to China's Ministry of Emergency Management containing an embedded link with the victim's email address and code that would report back to the attackers if the email was opened.
The emails sent to Wuhan officials all had return email addresses associated with the Ministry of Emergency Management.
“APT32 likely used COVID-19-themed malicious attachments against Chinese speaking targets. While we have not uncovered the full execution chain, we uncovered a METALJACK loader displaying a Chinese-Language titled COVID-19 decoy document while launching its payload,” the researchers said.
The METALJACK malware would also load a shellcode containing the primary payload, which collects the victim’s computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com. It then attempts to call out to the URL. If the callout is successful, the malware loads the METALJACK payload into memory.
“The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted. Until this crisis ends, we anticipate related cyber espionage will continue to intensify globally,” FireEye concluded.