A cyberattack campaign using malicious RTF documents has been targeting government IT agencies in Eastern Asia, according to research published today by Proofpoint.
Dubbed Operation LagTime IT, the malicious documents delivers custom Cotx RAT malware to tech agencies responsible for overseeing government network infrastructures. Proofpoint has attributed the campaign to the Chinese threat group known as TA428. Researchers believe the likely motivation is conducting espionage on capabilities like 5G and establishing a beachhead for future attacks.
“Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT,” researchers wrote in today’s blog post.
According to the research, the malicious RTFs were first delivered via Yahoo accounts and came from senders whose names closely mirrored those within the targeted entities. The email subjects were crafted with convincing IT-related themes relevant to government or public training in Asia.
“On one specific occasion an email utilized the subject 'ITU Asia-Pacific Online CoE Training Course on "Conformity & Interoperability in 5G" for the Asia-Pacific Region, 15-26 April 2019' and the attachment name '190315_annex 1 online_course_agenda_coei_c&i.doc.' The conference referenced in the lure was an actual event likely selected due to its relevance to potential victims. This is significant as countries in the APAC region continue to adopt Chinese 5G technology in government as well as heavy equipment industries,” researchers wrote.
"Op LagTime IT is a continuation of a long-running Chinese espionage campaign which is intended to satisfy intel requirements on its regional neighbors,” said Kevin Epstein, vice president, threat operations, at Proofpoint. “The targeting of government IT agencies is both expected and significant as China continues to expand the global footprint of its communications technologies."