A recent analysis of MNKit exploit generator reveals a connection between three cyber-espionage campaigns thought to originate from China. MNKit has been categorized as a software package with a limited circulation which can embed exploit code inside Office files in order to create custom malware. This malware builder is specially adapted for creating malicious MHTML files which take advantage of CVE-2012-0158, a five-year old vulnerability in the MS Office suite that leads to remote code execution on targeted systems.
The security experts from Palo Alto Networks claim that they’ve identified malware used in three different cyber-espionage campaigns which was generated with the aforementioned toolkit. It was the thing that made the experts believe that the same group may be behind all three attacks.
The first time when MNKit-generated MHTML files which were used in attacks was in 2012, when the Citizen Lab researchers discovered a Chinese-linked APT targeting the Tibetan minority in China with the LURK malware, a variation of the Gh0stRAT.
The second incident happened in 2015, when the Proofpoint security researchers found a cyber-espionage group targeting Russian military and telecom organizations with Saker malware.
The third attack leads back to the NetTraveler campaign from 2013, described in a report by Kasperski Lab. In all the above-mentioned incidents, espionage groups targeted the Tibetan and Uyghur and installed instances of the NetTraveler backdoor malware.
“While MNKit has been associated with multiple different groups the reuse of domain names, IPv4 addresses, phishing themes, XOR schemes, and email accounts are strong evidence for linkage between these new attacks and the previously documented ones,” said Anthony Kasza of Palo Alto.
“While attribution is a challenging art, it’s likely whoever is behind these recent attacks is, through infrastructure, malware families and delivery techniques, somehow related to the previously reported attacks,” Kasza explained.