Sepulcher Malware

The Sepulcher Malware is a RAT or Remote Access Trojan that provides a foothold on infected PCs to collect data and launch other attacks. Its usage strongly correlates with China-based attackers' activities, such as TA413 and e-mail-based infection strategies. Users should scan e-mail attachments with care for detecting threats and have anti-malware solutions remove the Sepulcher Malware as soon as it's identifiable.

A Trojan's Resurrection from the Grave with Political Plans

Some threats stay dead for longer than others, and in the Sepulcher Malware's case, that period is relatively short. After an initial operation against government entities (such as diplomatic embassies) in Europe, the Sepulcher Malware reappears with more-traditional targets in mind: Tibetan independence activists. Unsurprisingly, this Trojan is one of many with links to Chinese threat actors, in its case, the TA413 group.

The infection vectors that malware experts are aware of are e-mail-based and use disguised RTF documents or PowerPoint presentations. In its first attacks, the Sepulcher Malware's installation faked being a World Health Organization (WHO) set of guidelines, following days after the real thing. The Tibet-targeting tactics use a slightly-different, still COVID-19-themed lure that's specific to Tibetan politics. Notably, the Sepulcher Malware's installation exploit uses an Equation Editor vulnerability with prior connections to Royal Road's Chinese hacking tool.

The Sepulcher Malware is a traditional RAT or Remote Access Trojan. After the installation, it positions itself as a tool for attackers cementing their control over the Windows computer, by the following means:

• The Sepulcher Malware supports a reverse shell that accepts CMD commands from attackers for modifying the system.
• The Sepulcher Malware can read file data or write to files.
• It can collect information, including retrieving statistics of interest to attackers, such as file or directory information and identifying any active processes or services.
• The Sepulcher Malware can delete both services (potentially shutting down interfering security tools) and fil and wipe the Recycle Bin for deletion security.
• The Trojan also can control which programs are open by terminating their processes.

Naturally, the software is background-persistent, with a Scheduled Task-based hourly renewal of the persistence.

Burying Trojan Spies Back Where They Belong

Various facets of the Sepulcher Malware's campaign tie back to years of previous China hacker operations, such as the unusual re-use of an e-mail account mimicking a Tibetan activist and domains (for instance, connecting to the LuckyCat Android RAT) and exploitative document-generating tools like Royal Road. The e-mail recycling is a possible communication error between related groups of threat actors during the reorganization of hacking groups for taking advantage of the COVID-19 crisis. While the Sepulcher Malware is a recently-identifiable threat for the year, it also has unmistakable similarities to other RATs and backdoor Trojans that have undergone weaponization by other China-based hackers.

Users should update their Microsoft Office software as a precaution, removing many vulnerabilities that attackers can use to install Trojans. Disabling macros and other 'advanced' content also should be the default for viewing any files that aren't trustworthy or safe implicitly. Windows also can scan downloads with threat-detecting solutions for any embedded threats, including the Sepulcher Malware's dropper.

All anti-malware products should be as up-to-date as possible for countering any updates or revisions to this threat. Ideally, they'll identify and remove the Sepulcher Malware before it can collect any information or compromise any connected networks.

The Sepulcher Malware is a story that's all-too-common: political conflicts leaking over into software environments, with a paper-thin disguise. While staying informed on epidemics is useful for anyone, one shouldn't rush to open documents that could hide RATs.