GroundPeony Group Exploiting Zero-day Flaw

A cyber attack group – GroundPeony, targeting the Taiwanese government, was discovered in March 2023; it used several tactics, such as tampering with legitimate websites for distributing malware, URL obfuscation, and multi-stage loaders.

Further investigations revealed that a China-nexus attack group was responsible for this attack that used CVE-2022-30190 which was commonly known as Follina. However, the attack group has now been termed as “GroundPeony” by nao-sec.

GroundPeony or UNC3347 (Uncategorized Groups)

GroundPeony has been found to be active since 2021, which targeted government organizations in East and South Asia, especially Taiwan and Nepal.

The group has been exploiting Follina and is speculated to have access to a zero-day or is capable of developing one. Due to these reasons, GroundPeony is considered to be an APT group with high attack skills and motivation.

In addition to this, the malware used by GroundPeony was found to be existent in VirusTotal since 2021 and their oldest attack campaign dates back between April to June 2022 during which attacks against Nepal, India, and other countries took place.

Technical Analysis

The APT group starts by sending a spear-phishing email, which consists of a DOC file embedded with a URL for a ZIP file download. Once the ZIP file gets downloaded, it contains an EXE file and a DLL file which are executed to infect malware.

Latest Attack Flow (Source: nao-sec)

In addition, threat actors used discussions on maritime between Taiwan and the USA as the body of the email to make it more legitimate. However, the DOC file is attached along with this email with the name “Regarding bilateral consultations with the USA” and sent to the victims.

Spear-phishing email used by threat actors

To further explain the DOC file, it consists of a context mentioning that there has been an error and a patch needs to be updated, which points towards the update (malicious ZIP file).

Proceeding to download the update results in the ZIP file download, which consists of the malware.

Malicious DOC file attached with the spear phishing email

The URL was further investigated, which mimics Microsoft, but it was found to be a Cuttly (URL shortener and Link management platform).

This URL opens a Cuttly website and redirects to a Taiwanese Educational institution that has been compromised by these threat actors. This educational website consists of a ZIP, which was archived with the malware.

ZIP file containing malware files (Source: nao-sec)

Once an EXE file (Install.exe or 系統安全補丁.exe) has been executed, it copies the 4 files in the $RECYCLE.BIN folder to the mic directory in the C:\Program Data folder. Also, these 4 files are then renamed as mic.exe, version.dll, mic.doc, and mic.ver.

The mic.exe file is a legitimate EXE file containing a digital signature, whereas the version.dll file is a DLL for side-loading and a shellcode launcher for mic.doc. The mic.doc file is a shellcode downloader, and mic.ver is a config file for micDown.

Furthermore, a complete report on the malware has been published by nao-sec, which provided complete information on the malware behavior, obfuscation, methodologies, and other information.

Indicators of Compromise

03[.]199.17.184
160[.]20.145.111
172[.]93.189.239
*.onedrivo[.]com
1992b552bdaf93caeb470f94b4bf91e0157ba4a9bb92fb8430be946c0ddabdeb
425630cc8be2a7dc2626ccd927bb45e5d40c1cb606bb5b2a7e8928df010af7c9
fa6510a84929a0c49d91b3887189fca5a310129912d8e7d14fed062e9446af7e
142a027d78c7ab5b425c2b849b347952196b03618e4ad74452dbe2ed4e3f73cd
d1989ca12426ed368816ce00f08975dc1ff1e4f474592523c40f9af344a57b49
6e13e5c7fcbafc47df259f2565efaed51bc1d021010c51673a7c455b5d4dad2b
ef611e07e9d7e20ed3d215e4f407a7a7ca9f64308905c37e53df39f8a5bcbb3c
7b814e43af86a84b9ad16d47f9c74da484ea69903ef0fbe40ec62ba123d83a9a
f3e0a3dd3d97ccc23c4cee0fd9c247dbe79fbf39bc9ae9152d4676c96e46e483
50182fca4c22c7dde7b8392ceb4c0fef67129f7dc386631e6db39dec73537705

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *