Unit 42 has recently been investigating a new malware family called Reaver. While we have identified it as being active since late 2016, Reaver has been used sparingly, with only a small number of unique samples identified. Its targets have been movements the Chinese government consider dangerous, also known as the “Five Poisons.” We found that the Reaver malware family has shared command-and-control (C2) infrastructure overlap SunOrcal malware, and that these have been used concurrently since late 2016.
While investigating Reaver we recently also discovered a new variant of the SunOrcal malware family. While the SunOrcal malware family has been confirmed to have been active since 2013, possibly even earlier, this new variant has been observed targeting regions outside of the typical target radius for this threat group, now expanding to include Vietnam and Myanmar.
Emails were sent to targets containing malicious attachments. Targeting a Vietnamese speaking audience, one of the malicious documents mentions Donald Trump and the disputed South China Sea area. This is a classic lure technique – including something the target will find interesting or important causing them to open the file and download the malware on to the victims’ system.
These malware attacks utilize email phishing, and relies on targets opening the malicious email attachment. Security awareness is critical to avoid falling victim to such an attack.
If you are unsure of the legitimacy of the email, contact the sender directly over the phone or by typing a trusted URL directly in your browser or saved bookmark. Additionally, keeping your systems and devices updated with the most current operating system and web browser is a general security best practice, as well as enabling multi-factor authentication to prevent an attacker from abusing credentials should they successfully capture them.