you're reading...
Reported Facts on the Ground and on the Waters

NanHaiShu: RATing the South China Sea

By F-Secure Labs

July 2016


This whitepaper details a malicious program we identify as NanHaiShu. Based on our analysis, the threat actor behind this malware targets government and private-sector organizations. Notable targets of the malware include the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm.

We believe these entities were targeted for their involvement in a dispute centering on the South China Sea. The conflicting territorial claims at the heart of the issue were addressed by an international tribunal on 12th July 2016[1]. Based on the specific selection of organizations targeted for attack by this malware, as well as indications revealed in our technical analysis of the malware itself, we believe the threat actor to be of Chinese origin.

We saw the first sample of NanHaiShu in the wild for the last couple years, and as of March 2016, it is still being actively distributed. Technically speaking, the malware is a Remote Access Trojan (RAT) that is spread in spearphishing email messages which contain the malware as a malicious file attachment. The contents of the email message include, among other things, industry-specific terms that indicate they were deliberately designed with the specific targets in mind.


The attached file contains a VBA macro that executes an embedded JScript file. It is likely that the threat actor knew the targets use VBA macros in their business environment, since the attack only works if the default security setting in Microsoft Office is modified to allow macro execution.

Once installed on a machine in the target network, NanHaiShu sends information from the infected machine to a remote command and control (C&C) server.

Download the whitepaper at https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf

Related articles:

South China Sea: Facts on the Ground and on the Waters: https://seasresearch.wordpress.com/category/south-china-sea-facts-on-the-ground-and-on-the-waters/


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Follow South China Sea on WordPress.com

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 145 other followers

%d bloggers like this: