An ongoing cyberespionage campaign has been discovered that has been linked to the Chinese threat actor, SharpPanda. The attacker has been using a previously unknown backdoor for the campaign for the past three years. This campaign has been targeting the systems of a Southeast Asian government's Ministry of Foreign Affairs.
What has happened?
According to CheckPoint Research, the attackers are interested in stealing cold data, along with gathering information from a target’s personal computer at any moment. This results in what we can call a live espionage attack.
The infection chain starts with spear-phishing messages carrying weaponized documents, imitating departments in the same government agency as the targeted victim.
If the targets open these weaponized documents, remote (.RTF) templates are pulled, and Royal Road (an RTF weaponizer) is deployed.
The RTF document has a shellcode and encrypted payload developed to create a scheduled task. It then launches a time-scanning anti-sandboxing and downloader for the final backdoor.
The new backdoor
The backdoor (dropped as VictoryDll_x86[.]dll file) has a number of functions usually employed by threat actors for spying. Additionally, it exfiltrates information to a C2 server.
It connects to a C2 to pass the stolen data and consequently, grab and execute other malware payloads. Its first stage C2 servers are hosted in Hong Kong/Malaysia, while the backdoor C2 is hosted by a U.S. provider.
The backdoor can delete, create, rename, read, and write files. It also is capable of obtaining file attributes, processes, and services information, screenshots, and terminating the process.
This long-running cyberespionage campaign managed to stay under the radar for more than three years. In addition, the backdoor has evolved from a single executable to a multi-stage attack, making it harder to detect. Therefore, organizations are recommended to implement intrusion detection and protection systems to defend against these threats.