![]() We recommend using a premium antivirus solution with real-time detection technology like Norton 360. “They should block all communications with known command and control servers.” Organizations should deploy email security solutions that sandbox and detonate all attachments,” he said. ![]() “In this case, they use known CC servers and an easily blocked Docx file. Stiennon further explained how to defend against Sharp Panda attacks. Since the initial Sharp Panda infection vector is delivered via a targeted phishing email, it is important not to interact with emails from an unknown or suspicious sender address. ![]() “The RoyalRoad RTF kit was reported as the tool of choice among Chinese APT groups and is still used despite the exploitation of old patched vulnerabilities,” Check Point said. Sharp Panda attacks typically exploit older software vulnerabilities. National Security Agency (NSA) tool, represents one of the most advanced cybersecurity threats detected in over twenty years. In February 2021, Check Point Research said a China-lined hacking group, APT31 - aka Zirconium/Hurricane Panda, which hijacked and cloned a U.S. This sentiment was echoed in the recently released U.S. “Chinese APT teams are among the most active and capable,” Chief Research Analyst at IT-Harvest, Richard Stiennon, told VPNOverview. Interestingly, Check Point researchers noted that Sharp Panda infections occur consistently between 1 AM to 8 AM UTC, Monday through Friday, with the exception of the Chinese Spring Festival. “Further analysis revealed that this payload is a new version of SoulSearcher loader, which is responsible for downloading, decrypting, and loading in memory other modules of the Soul modular backdoor,” the report explained. The researchers explained that the downloader first scans for potentially usable data such as hostnames, OS names and versions, usernames, MAC addresses, and even “information on anti-virus solutions.” If the target is viable, the latter stages commence.Ĭheck Point said this initial part of the infection chain has remained the same over the years, however, a DLL different from the earlier “VictoryDll” was observed being injected from the threat actor’s server this year. If the malicious document is downloaded, it activates a custom DLL downloader and a “second stage-loader” that delivers a backdoor in a victim’s operating system. The Sharp Panda infection starts with an email containing a Word document “with government-themed lures that leveraged a remote template to download and run a malicious text document, weaponized with the infamous RoyalRoad kit,” Check Point said. Phishing Emails Contain ‘Government-Themed Lures’ĭespite the upgrades to their toolset, Chinese Advanced Persistent Threat (APT) groups are still using spear-phishing emails as an attack vector to compromise high-profile targets in Southeast Asian government agencies. The similarity between the previous attacks and the current Tactics, Techniques, and Procedures (TTPs) of Sharp Panda suggests that China-based APT groups share custom tools and may delegate one entity for initial infection while another is responsible for cyber-espionage intelligence gathering, Check Point added. It is unclear whether this is a single threat actor or a group. “While Sharp Panda’s previous campaigns delivered a custom and unique backdoor called VictoryDll, the payload in this specific attack is a new version of SoulSearcher loader, which eventually loads the Soul modular framework,” the report said.Ĭhinese hackers were previously observed targeting the defense, healthcare, and ICT sectors in Southeast Asian countries. ![]() ![]() Sharp Panda’s ‘Advanced OpSec’ FeaturesĬheck Point described the new “radio silence” feature as “an advanced OpSec feature that allows the actors to blend their communication flow into general traffic and decrease the chances of network communication being detected.” “While the Soul framework has been in use since at least 2017, the threat actors behind it have been constantly updating and refining its architecture and capabilities,” Check Point said. Although the Soul malware family has been around for over five years, the new version highlighted in this report has some unique features, including a “radio silence” mode to evade detection. Its latest report sheds more light on the toolset used in the campaign dubbed “Sharp Panda.”Īccording to Check Point, Chinese hackers are using a new variant of the SoulSearcher malware in these attacks. In 2021, Check Point said Chinese hacking groups were targeting employees of government agencies in Southeast Asia. Government entities in Southeast Asia continue to be targeted by China-linked hacking groups, cybersecurity specialists at Check Point Research revealed on Tuesday. ![]()
0 Comments
Leave a Reply. |