Application security, Threat Intelligence, Malware, Phishing

APT32 actively spearphishing Chinese officials in a search for COVID-19 data


The suspected Vietnamese threat group APT32 has been conducting a spearphishing campaign against Chinese targets in an attempt to glean information on COVID-19.

FireEye’s Mandiant Threat Intelligence Team reported the attacks have been conducted throughout the pandemic, from early January to date, with the targets including China's Ministry of Emergency Management as well as the government of Wuhan province. APT32 is well-known for targeting Asian entities, but FireEye believes this is part of an overall increase in coronavirus-related cyberespionage activity by nations seeking to protect their citizens from the virus.

“The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted,” the report stated.

The first attack took place on January 6 against targets in the Ministry of Emergency Management using the subject line “Report on the first quarter results of office equipment bids.” The emails sent to Wuhan officials all had return email addresses associated with the Ministry of Emergency Management.

Once an email was opened, a report was sent to the attacker’s command and control server, one that was associated with a phishing campaign dubbed Metaljack that took place in December in a separate series of attacks conducted by APT32.

When contacted, the Metaljack loader would kick back to the email one of several preset documents that would appear in its body, usually a news story. At the same time Metaljack would load a shellcode containing the primary payload, which performs a system survey to collect the victim's computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com. It then attempts to call out to the URL. If the callout is successful, the malware loads the METALJACK payload into memory.

FireEye predicts the current high level of cyberespionage activity will be sustained as long as the pandemic exists.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.