A China-based advanced persistent threat (APT) group known as Space Pirates conducted a cyber-espionage campaign targeting Russian IT organizations during the summer of 2023. The operation focused on companies providing services and software to Russian government entities, according to researchers at Positive Technologies who identified the attacks.

The primary goal of the campaign was intelligence gathering. The attackers deployed a previously unknown backdoor named Deed RAT, which is also tracked as HelloBot, to infiltrate and maintain access to victim networks.

Phishing Lures and Initial Infection

The initial infection vector for the Space Pirates campaign involved targeted phishing emails. These emails contained malicious documents designed to trick recipients into opening them. Upon opening, the documents utilized a remote template injection technique to download the next stage of the malware payload from a remote server.

Once executed, the Deed RAT malware establishes a foothold on the compromised system, allowing the attackers to perform reconnaissance, exfiltrate data, and execute further commands on the network.

Advanced Evasion and Defense Disablement

The Deed RAT backdoor employs sophisticated techniques to evade detection by security software. One notable method is its communication protocol, where the malware injects itself into the memory of the legitimate Windows Update client process, wuauclt.exe, to communicate with its command-and-control (C2) server. This makes the malicious traffic appear as legitimate system activity.

Furthermore, the threat actors utilized a “bring your own vulnerable driver” (BYOVD) technique to disable endpoint security products. The campaign deployed a legitimate, but vulnerable, driver named zam64.sys, which belongs to Zemana AntiMalware. By exploiting this driver, the attackers could terminate the processes of installed security solutions, effectively blinding them to the ongoing intrusion.