Twisted Panda in action against Russia
Chinese state-sponsored hackers are believed to have attacked Russian defense research organizations with malware, as part of a long-running espionage campaign.
Check Point Software researchers attributed the campaign with high confidence to a Chinese threat actor, which they have named Twisted Panda.
Twisted Panda has been targeting a holding company within the Russian state-owned Rostec Corporation since at least June 2021. The latest activity was in April 2022
Check Point said the Rostec defense institutes were subject to spear-phishing campaigns that sought to exploit the severe sanctions placed on Russia by Western nations.
Malicious emails sent to the defense research organizations carried links to an attacker-controlled site that spoofed the Health Ministry of Russia, and a malicious Word document attachment.
The subject of the emails was “List of [target institution] persons under US sanctions for invading Ukraine”.
Another email with a document also purporting to be from the Russian Ministry of Health was sent to an unknown entity in the Belarus capital Minsk.
Downloading the malicious document drops a sophisticated loader that not only hides its functionality but also avoids detection of suspicious API calls by dynamically resolving them with name hashing.
By using DLL sideloading, which Check Point noted is “a favorite evasion technique used by multiple Chinese actors,” the malware evades anti-virus tools. The researchers cited PlugX malware, used by Mustang Panda, and a more recent APT10 global espionage campaign that used the VLC player for side-loading.
The main payload is a previously undocumented Spinner backdoor, which uses two types of obfuscations. And while the backdoor is new, the researchers noted that the obfuscation methods have been used together in earlier samples attributed to Stone Panda and Mustang Panda. These are control-flow flattening, which makes the code flow non-linear and opaque predicates, which ultimately causes the binary to perform needless calculations.
Twisted Panda’s target specializes in electronic warfare systems, military radio equipment, and air-based radar stations.
Indicators Of Compromisse