Twisted Panda: Chinese APT Targets Russian Orgs

Diving into details

• The targeted attack, dubbed Twisted Panda, spied on at least two Russian defense research institutes and another unknown target in Belarus.
• The attacks came in the form of social engineering schemes claiming that the U.S. is reportedly circulating a biological weapon.
• The victims include defense research institutes belonging to Rostec Corporation, Russia’s largest holding company in the radio-electronics industry.

Why this matters

• Check Point believes that this cyberespionage operation has been ongoing since at least June 2021, with the most recent activities witnessed in April 2022.
• The campaign has been attributed to Stone Panda (APT10) and Mustang Panda - both sophisticated and experienced threat actors.
• The adversary leveraged previously undocumented tools, including Spinner - a multi-layered loader and backdoor. The tools have been under active development since March last year and are capable of advanced anti-analysis and evasion tactics.

About Spinner

• It uses control flow flattening to obscure the program flow.
• While Spinner has a complicated code structure, it is just used to itemize infected hosts and run payloads retrieved from a remote server.
• Based on the compilation timestamps of the executables, researchers discovered an earlier strain of the implant, thus, implying that the campaign has been active for quite some time.
• The older Spinner variant does not employ anti-reverse engineering methods. However, it could list and manipulate files, run OS commands, arbitrarily download payloads, and pilfer valuable data - features missing from the newest version.

The bottom line