Flash Notice: VMware Discloses Critical vCenter Server Vulnerabilities – PATCH IMMEDIATELY 

Need to Report an Incident? Call +1 (877) 707-7997

Cyber Espionage & Data Exfiltration Attack Results from 3-Year Old Backdoor

Share on linkedin
Share on facebook
Share on twitter
Share on reddit
Share on email
Share on print

Executive Summary

This report is an overview of live espionage and data exfiltration resulting from a previously unknown backdoor that flew under the radar for over 3 years. The weapon? Spear phishing with official-looking documents targeting government employees. The target? A Southeast Asian government.

There is medium-to-high-confidence that the Chinese APT group “SharpPanda” is behind the threat. This is based in part on the limited operational schedule (1:00 a.m. to 8:00 a.m. UTC) in which the C2 servers returned payloads. These are typical working hours in China and no payloads were returned between May 1-5, which coincide with the country’s observance of Labor Day (or International Worker’s Day).

Test versions of the backdoor (from 2018) uploaded to VirusTotal and the bad actor’s use of the Royal Road RTF weaponizer also strengthen the suspicion that “SharpPanda” is behind this attack. Check Point Research (cp<r>) is credited with identifying this ongoing surveillance operation.

Tactics, Techniques, and Procedures of the Cyber Espionage Attack

The spear-phishing message impersonates other departments in the same government. Remote .RTF templates (plus a version of Royal Road RTF) are pulled when a victim opens the attached files.

The tool exploits a set of vulnerabilities in Microsoft Word’s Equation Editor; the RTF document creates a scheduled task (including the downloader for the backdoor); and the “VictoryDll_x86.dll” backdoor connects to a C2 server.

The attackers are not only interested in stealing data and deleting data, but also in persistent access to the target victim’s personal device at any given moment. Governments across the globe could be targeted by this Live Espionage, or Cyber Espionage.

The first stage C2 servers are cloud services in Hong Kong and Malaysia. The backdoor C2 server is hosted on U.S.-based Zenlayer (107.148.165.xxx).

The full infection chain is specifically detailed by cp<r> from the Source Link below on p. 6:

  • Sample of persuasive document
  • External template URL
  • RoyalRoad RTF
  • 5.t Downloader
  • The Loader
  • The Backdoor
  • C&C Communication
  • Backdoor Commands
  • Indicators of Compromise (IOCs)
  • MITRE ATT&CK Matrix

Strategic Impact

  • Cyber espionage attacks harm reputations and expose public and private parties to untold damage due to stolen confidential data. When live espionage is targeted at governments, military operations can be affected, and lives can be lost. A shutdown in government operations can affect infrastructure, power and energy, water supply, transportation and roads, etc.
  • The U.S., Russia, and China are considered to be the most advanced, prolific cyber spies.
  • Below are the three main cyber security regulations that mandate U.S. federal agencies to protect their systems and information. (Individual states and other countries should be researched for their separate mandates.)

Our Recommendations

Significant effort went into this backdoor remaining under the radar, via the use of anti-sandboxing and anti-debugging techniques. Since the decoy document appears to originate from the same government the target works for, the lure may be more successful than one would expect.

Implementing a monitored SIEM, email scanning, strong passwords, up-to-date access control lists, and staying current with software and system upgrades are top recommendations. Encourage employees to immediately report suspicious clicks to improve escalation and timely detection and response. Training moments versus punitive measures respectfully factor into successful change.

Routine, company-wide training on social engineering, emails, and web browsing is highly recommended. Some examples: 1) hovering over an email address to reveal the true sender; 2) copying a hyper link into a browser for review versus clicking from inside the email; 3) “m” looks similar to “rn”; and 4) when in doubt, report the email and/or reach out to your IT help desk.


Supporting Documentation

MITRE Mapping(s)

Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.

This informed analysis is based on the latest data available.

Share this:
Share on linkedin
Share on twitter
Share on facebook
Share on reddit
Share on email
Share on print

Sign-up for Weekly Updates