An ongoing cyberespionage campaign has been discovered that has been linked to the Chinese threat actor, SharpPanda. The attacker has been using a previously unknown backdoor for the campaign for the past three years. This campaign has been targeting the systems of a Southeast Asian government's Ministry of Foreign Affairs.
What has happened?
According to CheckPoint Research, the attackers are interested in stealing cold data, along with gathering information from a target’s personal computer at any moment. This results in what we can call a live espionage attack.
- The infection chain starts with spear-phishing messages carrying weaponized documents, imitating departments in the same government agency as the targeted victim.
- If the targets open these weaponized documents, remote (.RTF) templates are pulled, and Royal Road (an RTF weaponizer) is deployed.
- Royal Road works by abusing a specific set of vulnerabilities—CVE-2018-0798, CVE-2018-0802, and CVE-2017-11882—in Microsoft Office's Equation Editor.
- The RTF document has a shellcode and encrypted payload developed to create a scheduled task. It then launches a time-scanning anti-sandboxing and downloader for the final backdoor.
The new backdoor
The backdoor (dropped as VictoryDll_x86[.]dll file) has a number of functions usually employed by threat actors for spying. Additionally, it exfiltrates information to a C2 server.
- It connects to a C2 to pass the stolen data and consequently, grab and execute other malware payloads. Its first stage C2 servers are hosted in Hong Kong/Malaysia, while the backdoor C2 is hosted by a U.S. provider.
- The backdoor can delete, create, rename, read, and write files. It also is capable of obtaining file attributes, processes, and services information, screenshots, and terminating the process.
This long-running cyberespionage campaign managed to stay under the radar for more than three years. In addition, the backdoor has evolved from a single executable to a multi-stage attack, making it harder to detect. Therefore, organizations are recommended to implement intrusion detection and protection systems to defend against these threats.