The China-linked threat actor known as Sharp Panda has expanded their targeting to include governmental organizations in Africa and the Caribbean as part of an ongoing cyber espionage campaign.
“The campaign adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities like C2 communication and command execution while minimizing the exposure of their custom tools,” Check Point said in a report shared with The Hacker News. “This refined approach suggests a deeper understanding of their targets.”
The Israeli cybersecurity firm is tracking the activity under a new name Sharp Dragon, describing the adversary as careful in its targeting, while at the same time broadening its reconnaissance efforts.
The adversary first came to light in June 2021, when it was detected targeting a Southeast Asian government to deploy a backdoor on Windows systems dubbed VictoryDLL.
Subsequent attacks mounted by Sharp Dragon have set their sights on high-profile government entities in Southeast Asia to deliver the Soul modular malware framework, which is then used to receive additional components from an actor-controlled server to facilitate information gathering.
Evidence suggests the Soul backdoor has been in the works since October 2017, adopting features from Gh0st RAT – malware commonly associated with a diverse range of Chinese threat actors – and other publicly available tools.
Another set of attacks attributed to the threat actors has targeted high-level government officials from G20 nations as recently as June 2023, indicating continued focus on governmental bodies for information gathering.
Key to Sharp Panda’s operations is the exploitation of 1-day security flaws (e.g., CVE-2023-0669) to infiltrate infrastructure for later use as command-and-control (C2) servers. Another notable aspect is the use of the legitimate adversary simulation framework Cobalt Strike over custom backdoors.
What’s more, the latest set of attacks aimed at governments in Africa and the Caribbean demonstrate an expansion of their original attack goals, with the modus operandi involving utilizing compromised high-profile email accounts in Southeast Asia to send out phishing emails to infect new targets in the two regions.
These messages bear malicious attachments that leverage the Royal Road Rich Text Format (RTF) weaponizer to drop a downloader named 5.t that’s responsible for conducting reconnaissance and launching Cobalt Strike, allowing the attackers to gather information about the target environment.
The use of Cobalt Strike as a backdoor not only minimizes the exposure of custom tools but also suggests a “refined approach to target assessment,” Check Point added.
In a sign that the threat actor is continuously refining its tactics, recent attack sequences have been observed using executables disguised as documents to kick-off the infection, as opposed to relying on a Word document utilizing a remote template to download an RTF file weaponized with Royal Road.
“Sharp Dragon’s strategic expansion towards Africa and the Caribbean signifies a broader effort by Chinese cyber actors to enhance their presence and influence in these regions.”
The findings come the same day Palo Alto Networks uncovered details of a campaign codenamed Operation Diplomatic Specter that has been targeting diplomatic missions and governments in the Middle East, Africa, and Asia since at least late 2022. The attacks have been linked to a Chinese threat actor dubbed TGR-STA-0043 (formerly CL-STA-0043).
The shift in Sharp Dragon’s activities towards Africa is part of larger efforts made by China to extend its influence throughout the continent.
“These attacks conspicuously align with China’s broader soft power and technological agenda in the region, focusing on critical areas such as the telecommunication sector, financial institutions, and governmental bodies,” SentinelOne security researcher Tom Hegel previously noted in September 2023.
The development also follows a report from Google-owned Mandiant that highlighted China’s use of proxy networks referred to as operational relay box networks (ORBs) to obscure their origins when carrying out espionage operations and achieve higher success rates in gaining and maintaining access to high-value networks.
“Building networks of compromised devices allows ORB network administrators to easily grow the size of their ORB network with little effort and create a constantly evolving mesh network that can be used to conceal espionage operations,” Mandiant researcher Michael Raggi said.
One such network ORB3 (aka SPACEHOP) is said to have been leveraged by multiple China-nexus threat actors, including APT5 and APT15, while another network named FLORAHOX – which comprises devices recruited by the router implant FLOWERWATER – has been put to use by APT31.
“Use of ORB networks to proxy traffic in a compromised network is not a new tactic, nor is it unique to China-nexus cyber espionage actors,” Raggi said. “We have tracked China-nexus cyber espionage using these tactics as part of a broader evolution toward more purposeful, stealthy, and effective operations.”
