The China-aligned threat actor “Sharp Dragon” is launching spear phishing attacks against government entities in African and Caribbean countries, according to researchers at Check Point.
“In recent months, we have observed a significant shift in Sharp Dragon’s activities and lures, now targeting governmental organizations in Africa and the Caribbean,” the researchers write.
“Those activities very much align with known Sharp Dragon modus operandi, and were characterized by compromising a high-profile email account to spread a phishing word document that leverages a remote template weaponized using RoyalRoad. Unlike previous activities, those lures were used to deploy Cobalt Strike Beacon.”
The threat actor begins by hacking into a trusted email account at a targeted organization, then uses that access to spread to additional accounts before installing the Cobalt Strike hacking tool.
“Presently, we are witnessing the use of Cobalt Strike Beacon as the payload of the 5.t downloader,” the researchers write. “This choice provides backdoor functionalities, such as C2 communication and command execution, without the risk of exposing their custom tools.
However, we assume that the Cobalt Strike beacon serves as their primary tool for assessing the attacked environment, while their custom tools come into play at a later stage, which we have yet to witness. This refined approach indicates a deeper understanding of their targets and a desire to minimize exposure, likely resulting from public disclosures of their activities.”
The researchers conclude that the shift in targeting suggests that government employees in these regions should be on the lookout for targeted phishing attacks.
“These changes in Sharp Dragon’s tactics, showing more careful selection of targets and the use of publicy and readily available tools, is an indication of a refined approach by this threat actor to target high-profile organizations,” the researchers write. “These findings bring attention to the evolving nature of Chinese threat actors, especially towards regions that have been somewhat overlooked in global cybersecurity and by the threat intelligence community.”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Check Point has the story.
Here's how it works:
