Mofang, which means “to imitate” in Chinese, is a recently found cyber-espionage group which has targeted many countries worldwide. The main malware of this group is called ShimRat and it was discovered in February 2012 by the security firm Fox-IT.
Despite the fact that the first attacks were registered back in February, the group sprang to life last month, when the attacks with ShimRat intensified. At first their target was the Ministry of Commerce in Myanmar, and then they turned to two German companies in the automotive industry.
The attacks continued in January 2013, when Mofang hit a Canadian organization, then in April and August 2013, against some other unknown organizations. The cyber-espionage group finished 2013 with a significant peak in September, when the attackers hit a US government agency, and several companies in Singapore and India.
In 2014, the cyber-espionage group was rather busy with the attacks in February – against a South Korean company; in April against a Myanmar government entity and Canadian and US companies; in June against a US company; and in November hitting an unknown organization.
The attacks continued during the past year, when Mofang hit Myanmar government agencies and private companies in four different incidents.
When compared to other APTs, Mofang has a distinct mode of operation. The cyber-espionage group doesn’t rely on exploits to infect a target’s computers, but it only uses social engineering, mainly via a careful target selection and specifically crafted spear-phishing emails.
When a target is compromised, the group first carries out reconnaissance, mapping the local network and searching for data worth stealing. After that, Mofang deploys faux infrastructure on infected targets, usually in the form of tainted security software, which at a later stage help the group deliver its malware payload, the ShimRat remote access trojan.
Usually, the group sends spear-phishing emails which contain Word, PDF or Excel files. If users open these files, the executables for legitimate applications are dropped and executed on their computers. These applications are legitimate, usually from companies such as McAfee, Symantec or Norman. Mofang uses DLL hijacking to disguise its malware within these applications.
Later on, the applications drop the ShimRat or ShimRatReporter malware. These two leverage a UAC bypass to escalate their privileges in order to run undisturbed on infected systems. Due to the fact that Mofang uses DLL hijacking, the malware runs from its parent process, which is the legitimate app, usually an antivirus.
ShimRat is a basic remote access trojan which can enumerate connected drives; list, create and modify directories; upload and download files; delete, move, copy and rename files; execute programs; execute commands; and even uninstall itself. At the same time, ShimRatReporter is only a malware dropper. The cyber-espionage group created it in 2014 in order to gather information on infected hosts before delivering its final payload.
ShimRatReporter is capable of collecting information such as IP address, network info, OS info, a list of active processes, browser and proxy configurations, active user sessions, user accounts, and a list of installed software. This information is then sent to a C&C server, from where the crooks give the go-ahead for a ShimRat infection.
Regarding the attribution, the Fox-IT expert Yonathan Klijnsma said that Mofang “almost certainly operates out of China and is probably government-affiliated.”
“It is highly likely that Mofang’s targets are selected based on involvement with investments, or technological advances that could be perceived as a threat to the Chinese sphere of influence,” he stated.
Fox-IT released a report on the activities of Mofang which reveals a possible link between the cyber-attacks and the investments of a Chinese state-owned company that bid on an oil and gas pipeline project in Myanmar.
