A threat group activating from China has been deploying the NanHaiShu RAT (Remote Access Trojan) against China's opposition in the now concluded South China Sea dispute, on which a UN arbitration court has sided with the Philippines.
According to F-Secure, this threat group has used the NanHaiShu (South China Sea) RAT to infect the computers of individuals from the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm involved in the South China Sea arbitration process.
The group's choice of targets shows a clear affiliation with China. F-Secure also says that initially the group used servers hosted in the US for the RAT's C&C infrastructure, but when the US sent military ships to the South China Sea, quickly moved operations to servers located in mainland China.
Group used macro malware to infect targets with the RAT
Malicious files attached to pear-phishing emails were used to infect targets. The attachments were XLS or DOC files that contained VBA macro scripts, which executed embedded JS code that installed the RAT.
NanHaiShu's capabilities are the regular features you'll find in a RAT, having the ability to collect PC identifying data, sending it to a server, and waiting for commands from the RAT's operator, which can be anything from downloading/uploading files to executing CLI commands.
RAT used only during the South China Sea arbitration process
F-Secure started seeing activity with NanHaiShu in January 2015, after in December 2014, the Permanent Court of Arbitration announced the Philippines-China arbitration case. The last attack was spotted in October 2015, just before the APEC summit took place in the Philippines.
The South China Sea dispute has been at the center of many cyber-security incidents recently. Only in the last three weeks, Chinese hackers have taken credit for attacks on Vietnamese airports and Philippines government institutions.
Below is a timeline of attacks with the NanHaiShu RAT. The infographic was extracted from F-Secure's report on NanHaiShu, also available online for free.