March 22, 2023

Researchers discovered a new backdoor while investigating a cyber espionage campaign conducted by Chinese APT group SharpPanda and aimed at Southeast Asian government’s Ministry of Foreign Affairs.

The attackers use spear-phishing messages and leverage exploits for old Microsoft Office vulnerabilities, along with the chain of in-memory loaders to deliver a previously unknown backdoor on target’s machines.

When bait files are opened , the malicious code loads remote .RTF templates weaponized using a variant of a tool named RoyalRoad, which is used by Chinese APT groups The tool was used by the Chinese threat actors to create weaponized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word. CVE-2017-11882,  CVE-2018-0798, and CVE-2018-0802. 

SharpPanda Chinese APT

Documents created with the RoyalRoad RTFs include encrypted payload and shellcode. The encrypted payload creates a scheduled task and checks the presence of a sandbox before starting the process to drop the final custom backdoor  (VictoryDll_x86.dll). 

The backdoor supports multiple functions that allow to spy on the victims and steal sensitive data, including:

  • Delete/Create/Rename/Read/Write Files and get files attributes
  • Get processes and services information
  • Get screenshots
  • Pipe Read/Write – run commands through cmd.exe
  • Create/Terminate Process
  • Get TCP/UDP tables
  • Get CDROM drives data
  • Get registry keys info
  • Get titles of all top-level windows
  • Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version
  • Type of user
  • Shutdown PC

The backdoor sends stolen data back to the C2 that could be used to deliver additional malware. Experts noticed that first-stage C2 servers are hosted in Hong Kong and Malaysia, while the C2 for the final backdoor is hosted by a US provider. 

The threat actor operates the C&C servers in a limited daily window, making it harder to gain access to the advanced parts of the infection chain.

Leave a Reply

%d bloggers like this: