A provider of an AI-powered, cloud-based cybersecurity platform is warning about the Chinese espionage hacker group Sharp Dragon, formerly known as Sharp Panda.
It has refined its activities and now relies on 1-day vulnerabilities, uses the proven Cobalt Strike Beacon as a payload - instead of a custom backdoor - and works with various functions such as C2 communication and remote code. At the same time, the suspected Chinese hackers are choosing their targets more carefully and conducting better reconnaissance. They are also trying better to conceal their own tools. The current scam: infected or trusted government agencies and authorities are used as a springboard to attack others.
Infected government agencies as a springboard
Since 2021, Check Point Research has been closely monitoring Sharp Dragon's activities. Their tactics primarily consist of targeted phishing emails, which in the past have led to the distribution of malware such as VictoryDLL or the Soul framework. However, a clear change has been observed in recent months. Sharp Dragon has shifted its focus to government organizations in Africa and the Caribbean, demonstrating a significant expansion of its activities beyond its original scope. These activities are consistent with Sharp Dragon's proven modus operandi, characterized by the compromise of high-level email accounts to distribute phishing documents that weaponize a remote template created with RoyalRoad. However, unlike previous tactics, these lures now employ Cobalt Strike Beacon, indicating a strategic adaptation to improve their infiltration capabilities.
Sharp Dragon Tactics and Techniques
First, threat actors use tailored phishing emails, often disguised as legitimate correspondence, to trick victims into opening malicious attachments or clicking on fraudulent links. These attachments or links execute code that has evolved over time from custom malware such as VictoryDLL and the Soul framework to widely used tools such as Cobalt Strike Beacon. Once successfully executed, the malware establishes itself on the victim's system, allowing hackers to explore the target's IT environment and gather intelligence. While core functionality remains unchanged, CPR has identified changes in tactics, techniques and procedures (TTPs). These changes reflect more careful target selection and a greater awareness of operational security (OPSEC). Some changes include:
- Broader intelligence coverage: The 5.t downloader now performs a more thorough reconnaissance of targeted systems, including examining process lists and enumerating folders, resulting in a more careful selection of potential victims.
- Cobalt Strike Payload: Sharp Dragon has moved from using VictoryDll and the SoulSearcher framework to using Cobalt Strike Beacon as the payload for the 5.t downloader, which provides backdoor functionality while minimizing exposure of custom tools, indicating a more refined approach to target assessment and minimizing exposure.
- EXE loader: Recent observations indicate a notable change in 5.t downloaders, with some of the latest samples containing EXE-based loaders instead of the typical DLL-based loaders, highlighting the dynamic evolution of their strategies.
- Compromised infrastructure: Sharp Dragon is moving from dedicated servers to using compromised servers as command-and-control (C&C) servers, specifically by exploiting the CVE-2023-0669 vulnerability, which is a vulnerability in the GoAnywhere platform that allows pre-authentication command injection.
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.
Matching articles on the topic