As the Russia-Ukraine conflict keeps progressing, various threat actors, including APTs, are attempting to leverage the situation to their advantage. Russian entities have become a lucrative target for cyberespionage actors. One such Chinese state-sponsored APT group was found spying on Russian entities.

Diving into details

  • The targeted attack, dubbed Twisted Panda, spied on at least two Russian defense research institutes and another unknown target in Belarus.
  • The attacks came in the form of social engineering schemes claiming that the U.S. is reportedly circulating a biological weapon.
  • The victims include defense research institutes belonging to Rostec Corporation, Russia’s largest holding company in the radio-electronics industry.

Why this matters

  • Check Point believes that this cyberespionage operation has been ongoing since at least June 2021, with the most recent activities witnessed in April 2022.
  • The campaign has been attributed to Stone Panda (APT10) and Mustang Panda - both sophisticated and experienced threat actors.
  • The adversary leveraged previously undocumented tools, including Spinner - a multi-layered loader and backdoor. The tools have been under active development since March last year and are capable of advanced anti-analysis and evasion tactics.

About Spinner

  • It uses control flow flattening to obscure the program flow.
  • While Spinner has a complicated code structure, it is just used to itemize infected hosts and run payloads retrieved from a remote server.
  • Based on the compilation timestamps of the executables, researchers discovered an earlier strain of the implant, thus, implying that the campaign has been active for quite some time.
  • The older Spinner variant does not employ anti-reverse engineering methods. However, it could list and manipulate files, run OS commands, arbitrarily download payloads, and pilfer valuable data - features missing from the newest version.

The bottom line

Research suggests that in just a year, the threat actors improved the infection chain substantially, making it more intricate. Functionalities of the campaign have been split up into multiple elements, which has made it difficult to detect or analyze every stage. All of this indicates that the threat actors are persistent in achieving their goals of exfiltrating valuable data. Chinese cyberespionage actors are adapting to real-world events real fast and employing the most relevant lures to amplify their chances of success.

Cyware Publisher