EXECUTIVE SUMMARY:

Introduction

A well-known research group discovered a new campaign against the Mongolian public sector that takes advantage of the scare caused by the Coronavirus in order to deliver a previously unknown malware to targets.

A closer look at this campaign allowed the researchers to tie it to other operations, which were carried out by the same unnamed group, dating back to at least 2016. Over the years, these operations have targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.

Lure Documents

The investigation started when the researchers identified two suspicious RTF documents sent to a Mongolian public sector entity. The documents found were in the Mongolian language, with one of them allegedly written by the Mongolian Minister of Foreign Affairs:

Infection Chain

After the victim opens the specially crafted RTF document, and the Microsoft Word is exploited, a file named intel.wll is dropped into the Word startup folder: %APPDATA%\Microsoft\Word\STARTUP.

This persistence technique is often used by newer versions of the so-called RoyalRoad. Every time that Microsoft Word application is launched, all the DLL files with a WLL extension in the Word Startup folder would launch as well, triggering an infection chain.

This is just the beginning. For more information, and in-depth analysis, click here.