Security researchers from the company Palo Alto Networks published a report on the activities of the hacker group, allegedly connected with the Chinese government. As the report indicates, the grouping distributes the new malware Reaver through malicious CPL files (Command Panel files, control panel files).

According to researchers, this method of downloading is rather unusual and only 0.006% of malicious software is used. The peak of popularity of the method occurred in 2013-2014 in Brazil, where cybercriminals used it to spread banking Trojans.

Reaver exploits a vulnerability in the Windows Control Panel utility (control. exe). The first version of malware used HTTP to communicate with the server, in new versions of Reaver, attackers switched to TCP.

Once on the system, Reaver collects various information about the system, such as processor performance, computer name, user name, IP address, device memory information, and Windows version information. Malicious software can also read and write files, modify registry files, create and terminate processes, and modify services.

Researchers link Reaver to SunOrcal malware, used by hackers allegedly based in China, in attacks on the presidential election in Taiwan in January 2016. As noted by the researchers, the group responsible for SunOrcal attacks also uses the SurTR remote access trojan associated with the generators of HomeKit and Four Element Sword malicious documents. The grouping has been in place at least since 2013, but some data indicate its activity already in 2010.

Reaver has been used by hackers since the end of 2016 along with SunOrcal. Both versions of malicious software were used in cyber attacks in November 2017, but experts do not have accurate information about the purposes of hackers.