Researchers at the Acronis Threat Research Unit (TRU) have uncovered a troubling trend where hackers are exploiting current news headlines to target U.S. government entities. Eschewing complex exploits, these cybercriminals utilize a more straightforward method: leveraging public curiosity about current events.
In a report by Ilia Dafchev and Subhajeet Singha, the researchers outlined a campaign that capitalizes on the ongoing geopolitical tensions between the United States and Venezuela. The attack begins with a deceptive file named “US now deciding what’s next for Venezuela.zip.” This tactic mirrors classic social engineering strategies that entice individuals to click on links connected to high-profile news stories without due diligence.
The Backdoor Strategy
The attack employs DLL sideloading—a technique that involves embedding malicious software within a seemingly benign application. In this instance, the hackers rebranded a legitimate music player from Tencent, naming it “Maduro to be taken to New York.exe.”
Upon execution of the compromised music player, the system inadvertently opens a concealed, malicious file known as kugou.dll. This file acts as a backdoor mechanism, which the researchers have dubbed LOTUSLITE. Once activated, the hackers gain unauthorized access to sensitive data, enabling them to capture files, monitor the user’s screen, and execute commands remotely, as if they were physically present at the workstation.
To obscure its activities, the malware masquerades as Googlebot, a legitimate web crawler, and transmits stolen information to an IP address located in Phoenix, Arizona, specifically 172.81.60.97.
Clues Leading to Mustang Panda
The Acronis report further reveals peculiarities left in the code by the attackers, including hidden messages that suggest the author claimed to be of Chinese origin, explicitly stating they were not Russian. The team noted that “the loader demonstrates low development maturity,” implying the attackers rushed to implement this scheme while the news was still relevant.
Based on these indicators, the Acronis team has assessed with “moderate confidence” that the China-based hacking group Mustang Panda, also known as HoneyMyte, is behind this operation. This group is notorious for executing rapid espionage efforts by capitalizing on breaking news stories.
The primary objective appears to be espionage, focusing on collecting political and strategic intelligence rather than financial gain. By opting for straightforward methods, the attackers prioritize the efficiency of their actions over technical complexity.
This approach is emblematic of state-sponsored groups aiming for a consistent flow of intelligence. The incident underscores how even a simple email referencing current affairs can serve as a potent tool for espionage against government targets.
