The Chinese hackers have been leading a rigorous cyber attack campaign against Indian government agencies as well as residents in a bid to steal sensitive information. This comes amid persisting border tensions between the two countries. The recent attacks came into light in early July, a few days after the Indian government blocked 59 China-made apps citing privacy concerns. The move was made by India following a violent border skirmish in Galawan.

Reports suggest a new Chinese APT group being the brain behind these cyber attacks. The members of this APT group primarily leverage three different techniques. A report by Malwarebytes reveals that the group used spear-phishing emails to drop variants of MgBot malware and Cobalt Strike. The group also used bogus Android applications to gather contacts, SMS messages and call records.

The Chinese cyber attackers also targeted Hong Kong. The primary reason behind this action is believed to be the recent passage of a highly-controversial security law in Hong Kong, issued by China. The lures used in this rigorous campaign indicate that the threat actor may be targeting individuals in Hong Kong, as well as the Indian government, or those who might oppose the new law.

The spear-phishing ‘variant’ of the attack issued an alert to all ‘gov.in’ recipients, stating that they needed to complete a security check since some of their email addresses had leaked. These phishing mails came with a “Mail security check.docx” attachment, which employed a template injection upon opening, which in turn downloaded a remote template and executed an obscure version of Cobalt Strike.

A second version of the attack, detected a day later, replaced the malicious version of Cobalt Strike with n updated version of MgBot malware. The third version of the attack used an embedded document with a statement about Hong Kong from Boris Johnson, UK Prime Minister, who allegedly promised to admit three million Hong Kongers to his country.

The document contained malicious commands that used dynamic data exchange (DDE) protocol to download and drop the loader (“ff.exe”) masquerading as a Realtek Audio Manager tool. It first detected and thwarted static analysis through the use of a self-modifying code, and ultimately executed the final malware (“pMsrvd.dll”), capturing screenshots, keystrokes, and manage files and processes.

Previously, in late June, Chinese hackers had made over 40,000 cyber attacks on India within a span of five days. The hackers were state-backed, and targeted numerous sectors in India.