Chinese SharpPanda APT developed a new backdoor in the last 3 years

Check Point Research (CPR) said that the Chinese APT group SharpPanda spent three years developing a new backdoor to spy on Asian governments.

Researchers from Check Point Research (CPR) discovered a new backdoor while investigating a cyber espionage campaign conducted by Chinese APT group SharpPanda and aimed at Southeast Asian government’s Ministry of Foreign Affairs.

The attackers use spear-phishing messages and leverage exploits for old Microsoft Office vulnerabilities, along with the chain of in-memory loaders to deliver a previously unknown backdoor on target’s machines.

The spear-phishing messages impersonate departments of the targeted governments.

“Our investigation shows the operation was carried out by what we believe is a Chinese APT group that has been testing and refining the tools in its arsenal for at least 3 years.” reads the analysis published by CheckPoint. “The investigation starts from the campaign of malicious DOCX documents that are sent to different employees of a government entity in Southeast Asia. In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker’s server.”

Upon opening the bait files, the malicious code loads remote .RTF templates weaponized using a variant of a tool named RoyalRoad, which is commonly used by Chinese APT groups The tool was used by the Chinese threat actors to create weaponized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word. Despite the fact that these vulnerabilities are few years old, they are still used by multiple attack groups, and especially popular with Chinese APT groups.

The documents generated by the tool exploit a set of vulnerabilities in Microsoft Word’s Equation Editor, including CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.

All the documents created with the RoyalRoad RTFs include encrypted payload and shellcode. The encrypted payload creates a scheduled task and checks the presence of a sandbox before starting the process to drop the final custom backdoor (VictoryDll_x86.dll).

The backdoor supports multiple functions that allow to spy on the victims and steal sensitive data, including:

Delete/Create/Rename/Read/Write Files and get files attributes
Get processes and services information
Get screenshots
Pipe Read/Write – run commands through cmd.exe
Create/Terminate Process
Get TCP/UDP tables
Get CDROM drives data
Get registry keys info
Get titles of all top-level windows
Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number) and type of user
Shutdown PC

The backdoor sends stolen data back to the C2 that could be used to deliver additional malware. Experts noticed that first-stage C2 servers are hosted in Hong Kong and Malaysia, while the C2 for the final backdoor is hosted by a US provider.

The threat actor operates the C&C servers in a limited daily window (1.00 am — 8.00 am UTC), making it harder to gain access to the advanced parts of the infection chain.

Checkpoint researchers also reported that samples of the threat were uploaded to VirusTotal from China in 2018, they contained connectivity checks with Baidu’s web address, a circumstance that suggests the involvement of China-linked APT. The C2 servers did not return any payload specifically between May 1st and 5^th which is the period when the Labor Day holidays in China took place.

“We unveiled the latest activity of what seems to be a long-running Chinese operation that managed to stay under the radar for more than 3 years. In this campaign, the attackers utilized the set of Microsoft Office exploits and loaders with anti-analysis and anti-debugging techniques to install a previously unknown backdoor.” concludes the report.

“Analyzing the backdoor’s code evolution since its first appearance in the wild showed how it transformed from a single executable to a multi-stage attack, making it harder to detect and investigate.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SharpPanda APT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.