An analysis of the MNKit exploit generator shows a connection between three cyber-espionage campaigns believed to originate from China.
MNKit is a software package with a limited circulation that can embed exploit code inside Office files in order to create custom malware.
This malware builder is specially adapted to create malicious MHTML files that take advantage of, a five-year old vulnerability in the MS Office suite that leads to remote code execution on targeted systems.
Palo Alto Networks researchers say they’ve identified malware used in three different cyber-espionage campaigns that was generated with this toolkit, leading them to believe that the same group may be behind all three attacks.
MNKit-generated malware used in three separate attacks
The first instance when MNKit-generated MHTML files were used in attacks dates back to 2012 when researchers fromdiscovered a Chinese-linked APT targeting the Tibetan minority in China with the LURK malware, a variation of the Gh0stRAT.
The second incident dates back to 2015 when security researchers fromdiscovered a cyber-espionage group targeting Russian military and telecom organizations with the Saker (Xbox or Mongall) malware.
The third instance they found goes back to the NetTraveler campaign from 2013, detailed in areport. In these incidents, espionage groups targeted the Tibetan and Uyghur and installed instances of the NetTraveler backdoor malware.
“While MNKit has been associated with multiple different groups the reuse of domain names, IPv4 addresses, phishing themes, XOR schemes, and email accounts are strong evidence for linkage between these new attacks and the previously documented ones,” Anthony Kasza of.
“While attribution is a challenging art, it’s likely whoever is behind these recent attacks is, through infrastructure, malware families and delivery techniques, somehow related to the previously reported attacks,” Kasza added.