Cybersecurity specialists have identified a new cybercrime espionage campaign called Victory Backdoor, which targets diplomatic and government entities in Southeast Asia. While the perpetrator of the attack has yet to be identified, experts report that it is likely to originate in China considering the type of entities they are targeting, as well as the fact that they have been using shipowner RoyalRoad to create RTF malicious files.
The malware was named Victory Backdoor by researchers who analyzed its functionality. Based on their findings, Victory Backdoor is designed to gather information while maintaining a constant access channel to compromised devices. The functionality of the malware includes taking arbitrary screenshots, manipulating the file system: reading, renaming, creating or deleting files on the device, extracting top-level data from open windows, and shutting down the computer if necessary.
The victims were approached via phishing emails that carried the aforementioned armed RTF attachment. The amazing thing about Victory Backdoor is that it seems to have been in development for a long time, the first versions of the payload were compiled over three years ago.
While Victory Backdoor is a unique malware threat, researchers were able to discover significant overlaps between it and files sent to VirusTotal in 2018. The way the backdoor functionality is implemented is effectively identical, but the similarities are not. they stop there. The files named MClient by their author and the Victory backdoor also use the same format in their connection method, as well as having identical XOR keys.
Earlier versions include an expanded set of nefarious functionality. For example, they possessed keylogging capabilities, something missing from Victory Backdoor. This fact led the researchers to conclude that the hackers could have decided to divide the capabilities of their initial versions of malware into several separate modules. Unfortunately, as it is a new threat, we do not have much information, but the best we can do is be vigilant and keep our teams safe.
See also:
PortDoor, the backdoor malware targeting Russia
XcodeSpy new malicious project against MacOS
