Chinese hackers reportedly uses new Windows malware to backdoor govt. defense organizations

Recently Kaspersky linked a threat attack campaign with a Chinese APT group tracked as TA428. There were a series of attacks detected in the month of January, which used new Window malware to backdoor government entities and organizations in the defense industry from countries in Eastern Europe. 

The TA428 is widely known for its information theft and espionage focus. They attack organizations in Asia and Eastern Europe. 

The threat actors have compromised the networks of dozens of targets. In some cases, they even took control of their entire IT infrastructure. They did so by hijacking systems used to manage security solutions. 

Kaspersky ICS CERT researchers stated that the attack’s target was industrial plants, design bureaus and research institutes, government agencies, ministries and departments in several East European countries. The East European countries in this context includes Belarus, Russia and Ukraine. 

The researchers also asserted that analysis reports drew conclusions that cyberespionage was the goal of this series of attacks. 

The Chinese cyberspies used spear phishing emails that contained confidential information to achieve their goal. The confidential information was about the targeted organizations and malicious code exploiting the CVE-201-11882 Microsoft Office vulnerability. This vulnerability was used to deploy PortDoor malware. 

PortDoor was also used to execute coordinated attacks by Chinese backed hackers in April 2021 through spear phishing. In the next stages of attacks, the attack group installed additional malware linked to TA428 in the past and a new malware strain named CotSam.