nccTrojan Used by TA428 Threat Actor
A recent report published by security researchers with Kaspersky ICS CERT details a series of attacks against military sector entities located in Eastern Europe and Afghanistan. The report was published in August 2022 but the attacks took place some eight months earlier, in January of the same year.
The attacks are linked to a threat actor known as TA428 which is believed to be a Chinese entity. One of the tools TA428 employed in their attacks on the military research and production facilities in Europe and Afghanistan is a tool named nccTrojan.
The payload for nccTrojan is downloaded as a DLL inside a compressed .cab file with a seemingly random name. Extracting the payload is done using the expand utility found on the victim system. The payload is then extracted to an already existing directory that belongs to some legitimate application. Examples provided in the report included Adobe folders, Inten shader cache directories and antivirus software directories.
The malicious DLL file is registered as a service and allows the payload to run automatically on system boot. Once launched, the nccTrojan links up to its command server infrastructure and waits for input commands. It can perform a range of tasks including executing commands, launching executable files, killing processes, deleting files and folders and collecting information on drives connected to the system.