Chinese APT ‘SharpPanda’ Developed Custom Backdoor to Spy on Asian Governments

  • Chinese hackers use a novel custom-made backdoor to spy on other Asian governments.
  • The actors appear very sophisticated, using numerous obfuscation and anti-analysis techniques.
  • All signs point to this being a state-supported APT group doing cyber espionage as a daily job.

A Chinese APT group dubbed ‘SharpPanda’ has spent the last couple of years developing and refining a custom backdoor that enabled it to conduct sophisticated cyber espionage spying against governments in the Southeast Asian region. This has been discovered only now by Check Point researchers, who were able to identify the activity, mapped the full infection chain, and uncovered the entire set of tricks deployed by SharpPanda.

Source: Check Point

It all starts with the arrival of an email that claims to come from another ministry of the target government. The laced DOCX documents use a remote template function to pull a template from the document using a remote server that the actors control. All that is needed for the threat to unfold is the opening of the file, and an RTF file is fetched. These files contain embedded objects that exploit vulnerabilities in the Equation Editor on MS Word.

Source: Check Point

The final payload and the custom backdoor, in this case, is a DLL file that carries the name “VictoryDll_x86.dll”. This is an entirely custom-made backdoor that has the following capabilities:

  • Delete/Create/Rename/Read/Write Files and get files attributes
  • Get processes and services information
  • Get screenshots
  • Pipe Read/Write – run commands through cmd.exe
  • Create/Terminate Process
  • Get TCP/UDP tables
  • Get CDROM drives data
  • Get registry keys info
  • Get titles of all top-level windows
  • Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number), and type of user
  • Shutdown the PC

On the aspect of obfuscation and anti-analysis, the actors have implemented RC4 encryption on the RTF payload, anti-sandboxing techniques on the downloader, base64 encoding on the data packets that come and go, and XOR 32-bit on the loader. Moreover, the loader hides its main functionality and evades detection by dynamically resolving API calls, which is a known and effective method.

In terms of attribution, the RTF exploit noticed in this campaign has been linked with other Chinese APT groups. Also, the C2 servers appeared to be active during working hours in China, between 01:00 and 08:00 UTC. When the Labor Day holiday was on, between May 1 and May 5, no payload was served by the C2, even during working hours. And finally, some early test versions of the backdoor were uploaded to VirusTotal from China.

REVIEW OVERVIEW

Latest

NBCUniversal’s Streaming Platform ‘Peacock’ Is Landing on Amazon’s Fire TV Today

Users of Fire TV devices will finally be able to enjoy ‘Peacock’ content on their Amazon hardware.This has been requested warmly by...

Dell Fixes Multiple BIOS Vulnerabilities Affecting Millions of Its Computers

Tens of millions of Dell computers are vulnerable to arbitrary remote code execution flaws.The problem lies in BIOS components that come as...

Former Executives of French Spyware Firms ‘Nexa’ and ‘Amesys’ Indicted for Aiding Torture

Four former executives of two French spyware firms have been indicted in Paris for aiding torture in Africa.These people were determined to...