Newly discovered cyber weapon uses elaborate multi-stage infection-chain to make detection and analysis difficult
Researchers have discovered a new cyber espionage weapon they believe was developed and is used by a China-based APT group they have named SharpPanda. A previously unknown Windows backdoor enables remote access and the collection of considerable live data – but only during Chinese working hours.
An ongoing campaign is targeting the Ministry of Foreign Affairs in a Southeast Asian country. It starts with the spear-phishing email delivery of a weaponized document – although in one sense it starts earlier with the attackers stealing genuine documents from another department in the same government to add authenticity to the real campaign.
The documents are weaponized using the RoyalRoad RTF exploit kit, and then sent in a spear-phishing campaign to multiple targets within the Ministry of Foreign Affairs. Researchers from Check Point Research (CPR) report that opening the attachment starts a chain of in-memory loaders leading to the delivery of the previously unknown backdoor.
The weaponized document includes embedded objects that exploit the Equation Editor vulnerabilities in MS Word (which although old and fixed, is still popular with Chinese APT groups) to obtain the backdoor’s downloader. This is the beginning of an elaborate multi-stage infection-chain that seeks to make detection and analysis difficult.
The initial downloader acquired via the exploit starts with a common Sleep function based anti-sandboxing technique. It then gathers data on the victim’s PC, and queries WMI for anti-virus information. This data is encrypted with RC4, encoded with base64, and sent via GET HTTP to the C2.
If the attacker decides that the victim is of interest, the next stage executable is returned in the same manner. This executable loads the decrypted DLL to memory, starts its execution from the StartW export function and notifies the server about the result of the operation.
The downloader obtains and executes a further loader from the C2 server which in turn communicates with the C2 and executes the backdoor. The backdoor can obtain processes and services information, capture screenshots, pipe read/write commands through cmd.exe, create or terminate processes, obtain PC information, shutdown the PC and more. A full list of its commands is available in the report. The backdoor has the internal name ‘VictoryDll_x86.dll’.
It has been in development since 2017. CPR discovered what appear to be early versions of the backdoor submitted to VirusTotal in 2018. Although found to be test versions of the current VictoryDll backdoor, they were originally named by the author ‘MClient’ and appear to be part of a project internally called ‘SharpM’. The latter name may be the reason behind CPR at least temporarily naming the actors behind the malware as SharpPanda.
Over time the attack has been broken into multiple stages to hinder detection and analysis.
“All the evidence points to the fact that we are dealing with a highly-organized operation that placed significant effort into remaining under the radar,” comments Lotem Finkelsteen, head of threat intelligence at Check Point Software. “Every few weeks, the attackers used spear-phishing emails, laced with weaponized versions of government-themed documents, to try and create a foothold into the Ministry of Foreign affairs of the target country. This means that the attackers first had to attack another department within the targeted state, stealing and weaponizing documents for use against the Ministry of Foreign Affairs. All in all, the attackers, who we believe to be a Chinese threat group, were very systematic in their approach.”
Arguments for attributing the source to a China-based group include the use of the RoyalRoad weaponizer, the activity of the C2 servers being limited to Chinese working hours, a cessation of operations between May 1, 2021 and May 5, 2021 (the Chinese Labor Day holiday), and the discovery of some test versions of the malware containing internet connectivity checks with Baidu.
“Ultimately, our investigation led to the discovery of a new Windows backdoor, in other words a new cyber espionage weapon, that the Chinese threat group has been developing since 2017,” continued Finkelsteen. “The backdoor was formed and reformed time and time again over the course of three years, before it was used in the wild. This backdoor is far more intrusive and capable of collecting a vast amount of data from an infected computer. We learned that the attackers are not only interested in cold data, but also what is happening on a target’s personal computer at any moment, resulting in live espionage.”
In theory, warn the researchers, the plug-in architecture of the attack means that the attackers could use the process to download and install any other module in addition to the VictoryDll backdoor, and the attack process could be used anywhere in the world.
A list of IOCs including documents and executables is available in the report. Three C&C servers are noted as: