Chinese APT Installs NanHaiShu RAT against International Opponents

As per F-Secure, the South China Sea (NanHaiShu) RAT was used by the threat group for infecting individual's computers from Philippines Department of Justice, a major global law firm that is involved in arbitration process of South China Sea, and the APEC (Asia-Pacific Economic Cooperation) Summit organizers.

Targets that are selected by the group clearly show China's affiliation. F-Secure further says that in the beginning, the group has used US hosted servers for the C&C infrastructure of RAT, but when military ships were sent by the US to South China Sea, it rapidly moved its operations to the servers that are located in the Mainland China.

The malware was discovered after a ruling in Hague by Permanent Court of Arbitration regarding territorial claims by China for most part of South China Sea, in the case that is brought by Philippines Government.

The malware, which is remote-access Trojan, allows to exfiltrate the data from the infected machines by its controllers. F-Secure say that its wide deployment was done in run-up to the ruling dated 12th July. The campaign appears to have targeted Philippines particularly, whereas the malware named NanHaiShu by the F-Secure seemed to utilize code as well as infrastructure related to China. Targets were infected with malicious files that are attached to the spear-phishing emails.

Softpedia.com posted on August 4th, 2016, stating that the capabilities of NanHaiShu's are regular features that you will found in the RAT, i.e. ability of collecting data to identify PC and then send it to the server, as well as wait for RAT's operator commands, which could be anything like downloading/uploading the files as well as executing commands of CLI.

Technical analysis further revealed notable orientation of the malware towards infrastructure and code associated with Mainland China developers. Due to that, as well as because of the organizations selected for infiltration target are directly pertinent to topics which are considered for strategic national interest to Government of China. Researchers of F-Secure suspect that the malware is originated from China.

The dispute related to South China Sea has been the center of several recent incidents of cyber-security. During the last 3 weeks, the hackers from China have taken the responsibility of attacking Vietnamese airports along with government institutions of Philippines.

» SPAMfighter News - 8/11/2016