NANHAISHU RATing the South China Sea

Note the intended pun by F-secure: RATing (RAT=Remote Access Tool).

My take away from this whitepaper from F-Secure: some preventatives control could have stopped or at least delayed this attack.  Mentioning “delayed” here since it is capable of receiving and executing additional JScript and VBScript code.

That could have bought the company’s/government security team some time to detect this attack by means some kind of APT tooling.

The preventative control I am referring to is:

  • macro settings (block by default, requires user prompt)
  • block Dynamic DNS on the proxy (why allow this in a business environment)
  • Set IE settings fixed by Active Directory policy.