Chinese threat actor SharpPanda APT has been found to be carrying out a novel cyberespionage campaign using a formerly undiscovered backdoor.

Malicious SharpPanda APT’s cyberespionage campaign:

Reportedly, the Threat actor SharpPanda APT has been employing a formerly undetected backdoor for the cyberespionage campaign for the past three years. 

According to a recent CheckPoint Research, the SharpPanda APT campaign has been targeting systems of a Southeast Asian government’s Ministry of Foreign Affairs.

Threat actors involved in SharpPanda APT accumulate cold data, a term often attributed to inactive data that is rarely used or accessed, in addition to gathering data from a victim’s system at any moment.

How does the attack work?

The attack vector of the SharpPanda APT backdoor initiated using spearphishing messages containing specifically crafted malicious documents that impersonate official documents within the same departments of the government organizations.

Once the victim opens or accesses these malicious documents, it pulls the remote (.RTF) templates and the Royal Road RTF Waponizer will be delivered.

The Royal Road RTF weaponizer is a codebase capable of creating weaponized RTF exploits complete with believable lure content for CVE-2017-11882, CVE-2018-0802, and CVE-2018-0798. This weaponizer has primarily been used by Chinese APT actors in espionage campaigns.

Also read,

The RTF document has a shellcode and encrypted payload developed to create a scheduled task. It then launches a time-scanning anti-sandboxing and downloader for the final backdoor.

The formerly undetected backdoor, dropped as VictoryDll_x86[.]dll file, has been found with numerous functionalities that focus on spying operations.

Once active, the backdoor connects to a C2 server and transfers the stolen information, and subsequently delivers supplementary payloads.

The first stage servers are hosted in Hong Kong/Malaysia and the backdoor C2 is hosted by a U.S. provider.

Undetected for years:

The SharpPanda APT cyber-espionage campaign has been carrying out these mal-operations for more than three years without getting spotted and it has been observed that the backdoor has evolved from a single executable to a multi-stage attack, making it more difficult to identify.