In July 2019, Proofpoint reported a new malware campaign named, “Operation Lagtime IT.” The campaign is targeting government agencies in East Asia and leveraging malicious RTF documents to deliver multiple payloads, including a new custom malware payload dubbed, “Cotx RAT.” Based on observed infrastructure and attacker TTPs, analysts have attributed the campaign to a Chinese APT group tracked as TA428. Follow on analysis revealed that the second stage payload contains hardcoded internal IP addresses, suggesting deliberate targeting and the ability of the malware to access internal networks. Static artifacts in the malware specimens uncovered a number of additional indicators, including dropper and payload samples and C2s.
Attacker TTPs, including the use of the custom Cotx RAT malware, complex delivery mechanism, multi-stage payloads, and spear phishing emails, suggests that the Lagtime campaign is sophisticated and highly targeted, and may be related to other campaigns and threat actor groups. The configurability of the Cotx RAT as well as its multi-stage delivery mechanism and anti-debugging features make it likely to be used in future campaigns. Although the motive for the campaign is not known for certain, the targeting of government agencies and the use of RAT malware indicates that this may be a state-sponsored surveillance/reconnaissance campaign.
This report provides technical details on the malware involved in this campaign and the associated infrastructure. The full TLP Amber report, including IOCs and Yara rule mitigations, is available to paid Red Sky Alliance members. Wapack Labs is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org