Check Point Research (CPR) said that the Chinese APT group SharpPanda spent three years developing a new backdoor to spy on Asian governments.
Researchers from Check Point Research (CPR) discovered a new backdoor while investigating a cyber espionage campaign conducted by Chinese APT group SharpPanda and aimed at Southeast Asian government’s Ministry of Foreign Affairs.
The attackers use spear-phishing messages and leverage exploits for old Microsoft Office vulnerabilities, along with the chain of in-memory loaders to deliver a previously unknown backdoor on target’s machines.
The spear-phishing messages impersonate departments of the targeted governments.
“Our investigation shows the operation was carried out by what we believe is a Chinese APT group that has been testing and refining the tools in its arsenal for at least 3 years.” reads the analysis published by CheckPoint. “The investigation starts from the campaign of malicious DOCX documents that are sent to different employees of a government entity in Southeast Asia. In some cases, the emails are spoofed to look like they were from other government-related entities. The attachments to these emails are weaponized copies of legitimate looking official documents and use the remote template technique to pull the next stage from the attacker’s server.”
Upon opening the bait files, the malicious code loads remote .RTF templates weaponized using a variant of a tool named RoyalRoad, which is commonly used by Chinese APT groups The tool was used by the Chinese threat actors to create weaponized documents with embedded objects that exploit the Equation Editor vulnerabilities of Microsoft Word. Despite the fact that these vulnerabilities are few years old, they are still used by multiple attack groups, and especially popular with Chinese APT groups.
The documents generated by the tool exploit a set of vulnerabilities in Microsoft Word’s Equation Editor, including CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.