G20 Nations Face Cyber Threats from Chinese APT Group
Category: Threat Actor Activity | Industry: Government | Source: Cyble
A Chinese APT group tracked as SharpPanda was observed to be targeting government entities in the G20 nations. Researchers from Cyble Research and Intelligence Labs (CRIL) provide a report with updates of the latest activities of the APT group, which have significantly increased since the group was first tracked in 2018. Spearphishing is identified as the primary initial access technique used in "combination with outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware. This backdoor enables Threat Actors (TAs) to exfiltrate system information, files, and other sensitive data from the targeted victim’s machine," said Cyble.
Lures used in the most recent SharpPanda campaign had weaponized files disguised as G7 documents. When the malicious documents were executed, the RTF dropped the next-stage payload onto the host. The RoyalRoad hacking tool and RTF Weaponizer are linked to the creation of the malicious RTF file. RoyalRoad is also a tool linked to Chinese nation-state actors. "RoyalRoad leverages a specific set of vulnerabilities, including CVE-2018-0802, CVE-2018-0798, and CVE-2017-11882, within the Equation Editor of Microsoft Office." After the RTF file drops the next-stage DLL payload a persistence mechanism is created through a scheduled task. Rundll32 is then used to execute the DLL payload proceeding to gather system data on the infected host. The data is then sent back to the attacker's C2, and a final payload is sent if the attackers view the affected host as a desirable target. The backdoor aids SharpPanda's objectives for espionage, data collection, and potential service disruption.
- Infection Chain with Equation Editor
Anvilogic Use Cases:
- Abuse EQNEDT32.EXE
- Create/Modify Schtasks
- Executable Process from Suspicious Folder