Dubbed ‘SharpPanda’, this Chinese APT group uses malicious Word docs, .RTF templates, and the RoyalRoad malware to install a powerful backdoor DLL giving them all kinds of access.
Researchers at Check Point Research have identified an ongoing operation that specifically targets an unspecified Southeast Asian government. Using spear-phishing as the initial attack vector, SharpPanda use a mix of old vulnerabilities, new evasion techniques, and a particularly powerful backdoor DLL to exfiltrate system information, files, and screenshots.
Using legitimate-looking official documents as attachments, SharpPanda’s malicious document downloads a .RTF template that is weaponized with RoyalRoad, which helps deliver and decrypt the payload. The attackers utilize an older Equation Editor exploit and anti-analysis and anti-debugging techniques built into their loaders to avoid detection.
The previously unknown backdoor is a custom piece of malware that includes a number of capabilities, including:
- Delete/Create/Rename/Read/Write Files and get files attributes
- Get processes and services information
- Get screenshots
- Pipe Read/Write – run commands through cmd.exe
- Create/Terminate Process
- Get TCP/UDP tables
- Get CDROM drives data
- Get registry keys info
- Get titles of all top-level windows
- Get victim’s computer information – computer name, user name, gateway address, adapter data, Windows version (major/minor version and build number) and type of user
- Shutdown PC
The takeaway from this story is that hackers will take their time developing powerful purpose-built tools to gain the access they need and to carry out whatever malicious actions they intend on. The good news here is that the bad guys still need an “in” – in the case of SharpPanda, it’s a phishing attack; they need a user to open an unsolicited document in the first place to begin the attack. Users that undergo Security Awareness Training are materially less prone to engaging with unknown content, having been tested through simulated phishing tests, and through learning about phishing scams and social engineering tactics used by groups like SharpPanda.