
Researchers discovered a new backdoor while investigating a cyber espionage campaign conducted by Chinese APT group SharpPanda and aimed at Southeast Asian governmentās Ministry of Foreign Affairs.
The attackers use spear-phishing messages and leverage exploits for old Microsoft Office vulnerabilities, along with the chain of in-memory loaders to deliver a previously unknown backdoor on targetās machines.
When bait files are opened , the malicious code loads remote .RTF templates weaponized using a variantĀ of a tool namedĀ RoyalRoad, which isĀ used by Chinese APT groups The tool was used by the Chinese threat actors to create weaponized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word. CVE-2017-11882, Ā CVE-2018-0798, andĀ CVE-2018-0802.Ā

Documents created with the RoyalRoad RTFs include encrypted payload and shellcode. The encrypted payload creates a scheduled task and checks the presence of a sandbox before starting the process to drop the final customĀ backdoorĀ (VictoryDll_x86.dll).Ā
The backdoor supports multiple functions that allow to spy on the victims and steal sensitive data, including:
- Delete/Create/Rename/Read/Write Files and get files attributes
- Get processes and services information
- Get screenshots
- Pipe Read/Write ā run commands through cmd.exe
- Create/Terminate Process
- Get TCP/UDP tables
- Get CDROM drives data
- Get registry keys info
- Get titles of all top-level windows
- Get victimās computer information ā computer name, user name, gateway address, adapter data, Windows version
- Type of user
- Shutdown PC
The backdoor sends stolen data back to the C2 that could be used to deliver additional malware. Experts noticed that first-stage C2 servers are hosted in Hong Kong and Malaysia, while the C2 for the final backdoor is hosted by a US provider.
The threat actor operates the C&C servers in a limited daily window, making it harder to gain access to the advanced parts of the infection chain.


