research-sector-targeted-in-new-spear-phishing-attack-using-google-drive

Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Research sector targeted in new spear phishing attack using Google Drive

According to Trend Micro researchers, a Chinese government-sponsored advanced persistent threat (APT) group has launched spear-phishing attacks to target education, government, and research sectors worldwide.

The report is unsurprising as earlier this year, researchers linked Google Drive to 50% of malicious MS Office document downloads.

Campaign Details

The attackers are delivering custom malware stored in Google Drive. The attacks were discovered between March and October 2022. The primary targets of the group were located in Japan, Australia, Myanmar, Taiwan, and the Philippines. For your information, the espionage group has been active since July 2018.

Chinese Hackers Installing Malware on Government Networks via Google Drive

How does the Attack Works?

The attackers gain access to the network through decoy documents covering controversial geo-political topics to lure the targeted organizations into downloading and executing the malware.

In some instances, the phishing messages were sent from email accounts that were previously compromised and belonged to specific entities to enhance the success ratio of this campaign. The archive files display a lure document to the victim.

However, in the background, it loads malware through DLL side-loading. Eventually, the attacker delivers three malware families to download the next-stage payloads. The main backdoor they use is TONESHELL, installed via the TONEINS shellcode loader.

Chinese Hackers Installing Malware on Government Networks via Google Drive

The attackers bypass security mechanisms by embedding link points to a Dropbox or Google Drive folder. These links redirect to download compressed files such as ZIP, RAR, and JAR with custom malware strains like PubLoad and TONESHELL.

“Once the group has infiltrated a targeted victim’s systems, the sensitive documents stolen can be abused as the entry vectors for the next wave of intrusions. This strategy largely broadens the affected scope in the region involved.”

Nick Dai, Vickie Su, Sunny Lu – Trend Micro

Who is the Attacker?

Researchers claim that the group responsible for the attacks has been identified as Mustang Panda, also known as TA416, Red Lich, Earth Preta, HoneyMyte, and Bronze President. Mustang Panda prefers using China Chopper and PlugX malware to collect data from compromised systems.

In its report, Trend Micro noted that Mustang Panda continually evolves its attack tactics to evade detection and use infection methods that allow them to deploy bespoke malware families such as PUBLOAD, TONEINS, and TONESHELL.

  1. Chinese Hackers Hiding Malware in Windows Logo
  2. APT Groups Trapping Targets with Clever Twitter Scheme
  3. Chinese Hackers Distributing Malware in SMS Bomber Tool
  4. Windows, Linux and macOS Users Targeted by Chinese hackers
  5. Microsoft disrupts activity of Chinese hackers by seizing 42 websites

Related News

Top 6 Cell Phone Tracker Apps for Parental Control

Top 6 Cell Phone Tracker Apps for Parental Control

Do you have difficulty knowing what your kids are up to when you’re not around? Do you want to ensure…
Moses Staff Hackers Publish Footage of Jerusalem Explosion

Moses Staff Hackers Publish Footage of Jerusalem Explosion

In a dramatic series of events, an Iranian hacker group by the name of Moses Staff published footage of the…
Watch Out Gamers: Hackers Exploiting MSI Afterburner to Deliver Coin Miner

Watch Out Gamers: Hackers Exploiting MSI Afterburner to Deliver Coin Miner

Cyble Research & Intelligence Labs (CRIL) recently uncovered a phishing campaign used by threat actors to deliver cryptocurrency miner softwares…