Check Point revealed that Chinese hackers created “Jian,” an attack tool that was designed to exploit a zero-day vulnerability in Microsoft’s operating systems from Windows XP to Windows 8, by cloning “EpMe,” a software developed by the Equation Group, a highly sophisticated threat group linked to the US National Security Agency, ZDNet reports.
Analysts once theorized that Jian was developed by APT31, a Chinese advanced persistent threat group also known as Zirconium. Check Point says Jian was being used in attacks between 2014 and 2017, until the hacking group Shadow Brokers released EpMe to the public in 2017 along with a number of tools and files that belonged to the Equation Group, and Microsoft patched the CVE-2017-0005 vulnerability that same year.
The cybersecurity researchers theorized that APT31 may have acquired and repurposed EpMe either when the Equation Group attacked a Chinese target, after an attack by APT31 on Equation Group systems, or while Equation Group was active in a network also being monitored by APT31.
Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.
Malicious posts detailing instructions for downloading cracked software on torrent trackers and forums enable deployment of SteelFox and acquisition of administrator access, which is then leveraged to establish a WinRing0.sys driver susceptible to privilege escalation via the CVE-2020-14979 and CVE-2021-41285 flaws, according to an analysis from Kaspersky.
Malicious emails purporting to be invoices that contain ZIP attachments have been delivered to facilitate the execution of a WebDAV-retrieved DLL that loads the updated Strela Stealer variant.