This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations. Notable targets of the malware include the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm. We believe these entities were targeted for their involvement in a dispute centering on the South China Sea. The conflicting territorial claims at the heart of the issue were addressed by an international tribunal on 12th July 2016. Based on the specific selection of organizations targeted for attack by this malware, as well as indications revealed in our technical analysis of the malware itself, we believe the threat actor to be of Chinese origin.
We saw the first sample of NanHaiShu in the wild for the last couple years, and as of March 2016, it is still being actively distributed. Technically speaking, the malware is a Remote Access Trojan (RAT) that is spread in spearphishing email messages which contain the malware as a malicious file attachment. The contents of the email message include, among other things, industry-specific terms that indicate they were deliberately designed with the specific targets in mind. The attached file contains a VBA macro that executes an embedded JScript file. It is likely that the threat actor knew the targets use VBA macros in their business environment, since the attack only works if the default security setting in Microsoft Office is modified to allow macro execution. Once installed on a machine in the target network, NanHaiShu sends information from the infected machine to a remote command and control (C&C) server.