F-Secure detected a variety of malicious software, which probably affects the parties involved in the dispute over the South China Sea, ongoing between the Philippines and China. A malicious application, which the researchers called NanHaiShu this type of Trojan RAT (Remote Access Trojan – Trojan that gives remote access), which allows attackers to steal data from infected computers.
/ © 123RF / Picsel
“It seems that this advanced attack APT (advanced persistent threat) is closely connected with the dispute and the proceedings between the Philippines and China on the South China Sea” – says Erka Koivunen, advisor. Cybersecurity at F-Secure . “Not only that all affected organizations are with this matter in some way related to, its appearance coincides with the events and the publication of news on the outcome of the proceedings before the Tribunal in The Hague” – explains the expert.
Among the affected organizations listed in the report were: Philippine Ministry of Justice, which was involved in the matter raised by the Philippines against China; organizers of the summit of the Asia-Pacific APEC (Asia-Pacific Economic Cooperation), which was held in the Philippines in November 2015 years, and a large international law firm.
Technical analysis showed the link code and infrastructure coming from developers in China . In addition, infiltrated organizations are directly related to the issues that are in the strategic interest of the Chinese government. All these reasons researchers tend to believe that malware is of Chinese origin.
“If the suspicions of our researchers are correct, it would mean that the Chinese use techniques cyberszpiegowskie to get a better insight into the backstage of arbitration” – says Koivunen.
NanHaiShu is distributed through personalized shipping e-mail ( spear phishing), which include industry terminology characteristic of the victim organizations, which indicates that the e-mails have been specially prepared for specific recipients. The file attached to the e-mail contains malicious macro that runs the embedded file JScript. After installing NanHaiShu sends data from the infected machine to a remote server and can download any file you choose hacker.