{ "id": "64398bf0-ef80-4199-bd62-e1fe90575e43", "created_at": "2026-04-06T00:09:58.033996Z", "updated_at": "2026-04-10T03:36:37.072526Z", "deleted_at": null, "sha1_hash": "426bfc6098ee6dcdb42b9a5f8aec0378a00a6ad8", "title": "bayworld-event-cyber-attack-against-foreign-trade-industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1112419, "plain_text": "bayworld-event-cyber-attack-against-foreign-trade-industry\r\nPublished: 2020-01-19 · Archived: 2026-04-05 17:45:42 UTC\r\nLearn more about 360 Total Security\r\nSince October 2019, 360 Security Center has successively intercepted multiple cyber attacks against foreign trade,\r\ntransportation, and several important maritime ports. Through a joint analysis of these attack incidents, we find\r\nthat the hacker team that launched the attack is highly professional and has a powerful arsenal. The targets of the\r\nattack are of extremely high value, so we don’t think this is purely personal behavior, But a professional hacker\r\nteam or APT organization.\r\nWhen analyzing the organization’s CVE-2017-11882 exploit document, we found that the way to bypass the\r\nshellcode length limitation is similar to that used by the APT organization TA505, but the delivered payload is in\r\nfavor of publicly sold malware such as NanoCore , Formbook, etc., did not find any Tema ever used by TA505. So\r\nwe are not sure if this attack was initiated by TA505.\r\nHowever, in order to facilitate the continuous follow-up of the organization, we named the attack “Bayworld”, and\r\nwe will continue to track and study more attacks related to the organization.\r\nAttack target\r\nWe analyzed the machines that infected a series of Trojan horses and found that the main attack targets of\r\nBayWorld activities were concentrated in large enterprises with import and export business, covering medical,\r\nchemical, construction, and various new manufacturing industries. Major regional transport companies, as well as\r\na number of important maritime ports launched attacks.\r\nThe attack area is mainly distributed in China, Egypt, Ukraine and other countries. The main attack targets are the\r\nSuez Canal, Algiers Port, Youzny Sea Port and other important commercial ports. The regional distribution is\r\nshown in the following figure:\r\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 1 of 11\n\nDecoy document\r\nWe analyzed the phishing emails related to Bayworld activities from August 2019. The malicious document\r\nattachments carried in the emails are mainly divided into the following three categories:\r\n1. Contains macro viruses\r\n2. Contains CVE-2017-8570 vulnerability\r\n3. Contains CVE-2017-11882 vulnerability\r\nThe contents of the phishing emails are relatively simple. After the embarrassment, the victims will be reminded\r\nto open the attached file:\r\nAttachments are usually disguised as purchase orders, payment vouchers, account statements, etc.\r\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 2 of 11\n\nCVE-2017-11882\r\nUnlike most previous CVE-2017-11882 exploits, Bayworld uses malicious code in xlsx files. When overflowing,\r\nit uses a 30-byte shellcode to dynamically obtain the memory pointer of the MTEFData structure and locate the\r\nremaining shellcode. In order to bypass the limit on the length of shellcode when exploiting.\r\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 3 of 11\n\nThis method is not the first time to appear. We found that a similar use method was mentioned in the analysis\r\nreport of the TA505 hacker organization by friends and merchants, but based on one point, we are not sure that the\r\nBayworld was initiated by the TA505 hacker organization.\r\nCVE-2017-8570\r\nThe CVE-2017-8570 exploit document contains two key ole objects. The first is a Package type malicious\r\nscriptletfile (SCT) script. After the malicious document is opened, the Package object is automatically released to\r\nthe% temp% directory.\r\nThe second is an OLE2Link object, which is used to trigger the SCT script released to a random directory\r\nThe SCT script is used to download subsequent payloads.\r\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 4 of 11\n\nMalicious macro\r\nIn addition to exploiting vulnerabilities, a large number of macro viruses have also been used in Bayworld\r\nactivities. The macro code has been obfuscated. After multiple decryptions, it will call powershell to execute the\r\nfollowing script:\r\nAdd C # code to the current session via Add-Type and execute:\r\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 5 of 11\n\nThen bypass AMSI detection through Patch AmsiScanBuffer, and finally download and execute the payload.\r\nPayLoad\r\nDuring our analysis of the activities of BayWorld, we found that there are many types of payloads delivered by\r\nthem, covering the following types of mainstream remote control and spyware.\r\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 6 of 11\n\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 7 of 11\n\nIn addition, I also detected a small amount of malware from families such as Ave_Maria and NjRat. These\r\nmalware have powerful functions, and hackers can control the victim’s machine and perform any desired\r\noperation through this software.\r\nCovert means\r\nIn addition to using IP addresses in some URLs, most of them use dynamic domain names to hide real server\r\naddresses:\r\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 8 of 11\n\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 9 of 11\n\nSummary\r\nBayworld is a well-targeted and highly professional cyber attack campaign. The hacking gang behind it has a\r\npowerful arsenal and diverse attack methods. It uses a large number of obfuscated codes and dynamic domain\r\nnames in the entire attack process. At the same time, its own characteristics are well hidden.\r\n360 Total Security can intercept such cyber attacks in multiple dimensions. Users could install and use it:\r\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 10 of 11\n\nLearn more about 360 Total Security\r\nSource: https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nhttps://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/" ], "report_names": [ "bayworld-event-cyber-attack-against-foreign-trade-industry" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434198, "ts_updated_at": 1775792197, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/426bfc6098ee6dcdb42b9a5f8aec0378a00a6ad8.pdf", "text": "https://archive.orkl.eu/426bfc6098ee6dcdb42b9a5f8aec0378a00a6ad8.txt", "img": "https://archive.orkl.eu/426bfc6098ee6dcdb42b9a5f8aec0378a00a6ad8.jpg" } }