Chinese APT ‘SharpPanda’ Developed Custom Backdoor to Spy on Asian Governments

  • Chinese hackers use a novel custom-made backdoor to spy on other Asian governments.
  • The actors appear very sophisticated, using numerous obfuscation and anti-analysis techniques.
  • All signs point to this being a state-supported APT group doing cyber espionage as a daily job.

A Chinese APT group dubbed ‘SharpPanda’ has spent the last couple of years developing and refining a custom backdoor that enabled it to conduct sophisticated cyber espionage spying against governments in the Southeast Asian region. This has been discovered only now by Check Point researchers, who were able to identify the activity, mapped the full infection chain, and uncovered the entire set of tricks deployed by SharpPanda.

Source: Check Point

It all starts with the arrival of an email that claims to come from another ministry of the target government. The laced DOCX documents use a remote template function to pull a template from the document using a remote server that the actors control. All that is needed for the threat to unfold is the opening of the file, and an RTF file is fetched. These files contain embedded objects that exploit vulnerabilities in the Equation Editor on MS Word.

Source: Check Point

The final payload and the custom backdoor, in this case, is a DLL file that carries the name “VictoryDll_x86.dll”. This is an entirely custom-made backdoor that has the following capabilities:

  • Delete/Create/Rename/Read/Write Files and get files attributes
  • Get processes and services information
  • Get screenshots
  • Pipe Read/Write – run commands through cmd.exe
  • Create/Terminate Process
  • Get TCP/UDP tables
  • Get CDROM drives data
  • Get registry keys info
  • Get titles of all top-level windows
  • Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number), and type of user
  • Shutdown the PC

On the aspect of obfuscation and anti-analysis, the actors have implemented RC4 encryption on the RTF payload, anti-sandboxing techniques on the downloader, base64 encoding on the data packets that come and go, and XOR 32-bit on the loader. Moreover, the loader hides its main functionality and evades detection by dynamically resolving API calls, which is a known and effective method.

In terms of attribution, the RTF exploit noticed in this campaign has been linked with other Chinese APT groups. Also, the C2 servers appeared to be active during working hours in China, between 01:00 and 08:00 UTC. When the Labor Day holiday was on, between May 1 and May 5, no payload was served by the C2, even during working hours. And finally, some early test versions of the backdoor were uploaded to VirusTotal from China.

REVIEW OVERVIEW

Latest

Pinelands Regional School District Announced Data Breach

Pinelands Regional School District concluded an investigation about a data breach they had in March this year.The breach happened using then board...

Banking Trojan Targets 100 Organizations in Brazil

A banking trojan from Latin America was found targeting almost 100 Brazilian organizations and individuals.The malware was first noticed in late August...

The Number of Phishing Emails Impersonating Craigslist Is Growing

Craigslist Gsuite & Microsoft users are being targeted with phishing emails that present a fake user login page.These emails rely on brand...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari