This report is an overview of live espionage and data exfiltration resulting from a previously unknown backdoor that flew under the radar for over 3 years. The weapon? Spear phishing with official-looking documents targeting government employees. The target? A Southeast Asian government.
There is medium-to-high confidence that the Chinese APT group “SharpPanda” is behind the threat. This is based in part on the limited operational schedule (1:00 a.m. to 8:00 a.m. UTC) in which the C2 servers returned payloads. These are typical working hours in China and no payloads were returned between May 1-5, which coincide with the country’s observance of Labor Day (or International Worker’s Day).
Test versions of the backdoor (from 2018) uploaded to VirusTotal and the bad actor’s use of the Royal Road RTF weaponizer also strengthen the suspicion that “SharpPanda” is behind this attack. Check Point Research (cp<r>) is credited with identifying this ongoing surveillance operation.
The spear-phishing message impersonates other departments in the same government. Remote .RTF templates (plus a version of Royal Road RTF) are pulled when a victim opens the attached files.
The tool exploits a set of vulnerabilities in Microsoft Word’s Equation Editor; the RTF document creates a scheduled task (including the downloader for the backdoor); the "VictoryDll_x86.dll" backdoor connects to a C2 server.
The attackers are not only interested in stealing data and deleting data, but also in persistent access to the target victim’s personal device at any given moment. Governments across the globe could be targeted by this Live Espionage or Cyber Espionage.
The first stage C2 servers are cloud services in Hong Kong and Malaysia. The backdoor C2 server is hosted on a U.S.-based Zenlayer (107.148.165.xxx).
The full infection chain is specifically detailed by cp<r> from the Source Link below on p. 6:
Significant effort went into this backdoor remaining under the radar, via the use of anti-sandboxing and anti-debugging techniques. Since the decoy document appears to originate from the same government the target works for, the lure may be more successful than one would expect.
Implementing a monitored SIEM, email scanning, strong passwords, up-to-date access control lists, and staying current with software and system upgrades are top recommendations. Encourage employees to immediately report suspicious clicks to improve escalation and timely detection and response. Training moments versus punitive measures respectfully factor into successful change.
Routine, company-wide training on social engineering, emails, and web browsing is highly recommended. Some examples: 1) hovering over an email address to reveal the true sender; 2) copying a hyperlink into a browser for review versus clicking from inside the email; 3) “m” looks similar to “rn”; and 4) when in doubt, report the email and/or reach out to your IT help desk.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.