Southeast Asia Government Entities Targeted by the Victory Backdoor
Cybersecurity specialists have identified a new cybercrime espionage campaign, which targets diplomatic and government entities in Southeast Asia. While the perpetrator of the attack is yet to be identified, experts report that they are likely to originate from China considering the type of entities their targeting, as well as the fact that they have been using the RoyalRoad weaponizer to create malicious RTF files. In addition to these two findings, researchers also note that a brand new malware family has been introduced in this campaign, the Victory Backdoor.
The victims were approached through spear-phishing emails carrying the aforementioned weaponized RTF attachment. The surprising thing about the Victory Backdoor is that it appears to have been in-development for a very long time – the earliest versions of the payload were compiled over three years ago.
The purpose of the Victory Backdoor is to provide the operators with persistent access to the compromised network, as well as to silently exfiltrate data from it. It can manipulate files, grab screenshots, and collect various details about the compromised system's hardware and software configuration. The developers of the malware appear to have paid extra attention to the security of the communication between the implant and the control server – these connections are heavily encrypted and obfuscated.
So far, there has not been enough information to attribute Victory Backdoor's development and use to a particular Chinese Advanced Persistent Threat (APT) actor, but researchers have high confidence that the criminals are indeed operating from China.