An ongoing cyber espionage and surveillance campaign of an APT Group, SharpPanda, was discovered and identified to be targeting Southeast Asian government with a newly deployed backdoor malware. The malware was said to be developed, tested, and deployed over the past three years in order to compromise systems of a Southeast Asian government’s Ministry of Foreign Affairs.

______________________________

A. Nature of the Attack

The APT group initially compromise the target organization’s employees by sending spear phishing emails impersonating other government-related entities. The email contains malicious attachments that are weaponized copies of legitimate looking official documents and are used for the next stage of attack. The group then uses Royal Road, an RTF weaponizer, to exploit known vulnerabilities in Microsoft Word’s Equation Editor to deploy shellcode and deliver the backdoor payload.

______________________________

B. Malware Capabilities

Capabilities of the backdoor payload:

  • Stealing and exfiltration of victim’s machine information
  • Perform unauthorized actions on victim’s machine
  • Registry enumeration
  • Process creation and termination
  • Running processes and services monitoring
  • Monitor user’s actions
  • File Modification
  • TCP/UDP port enumeration

______________________________

C. Indicators of Compromise (IoC)

Documents

  • 278c4fc89f8e921bc6c7d015e3445a1cc6319a66
  • 42be0232970d5274c5278de77d172b7594ff6755
  • f9d958c537b097d45b4fca83048567a52bb597bf
  • fefec06620f2ef48f24b2106a246813c1b5258f4
  • 548bbf4b79eb5a173741e43aa4ba17b92be8ed3a
  • 417e4274771a9614d49493157761c12e54060588

Executables

  • 03a57262a2f3563cf0faef5cde5656da437d58ce 5.t
  • 388b7130700dcc45a052b8cd447d1eb76c9c2c54 5.t
  • 176a0468dd70abe199483f1af287e5c5e2179b8c 5.t
  • 01e1913b1471e7a1d332bfc8b1e54b88350cb8ad loader
  • 8bad3d47b2fc53dc6f9e48debac9533937c32609 ServExe (x64)
  • 0a588f02e60de547969d000968a458dcdc341312 VictoryDll

C&C servers

  • 45.91.225[.]139
  • 107.148.165[.]151
  • 45.121.146[.]88

______________________________

D. Conclusion

In conclusion, organizations and businesses, both private and public, are highly advised to closely monitor and observe all assets for any indicators of suspicious/malicious activities. It is also highly recommended to implement relevant IOCs, YARA and Snort rules within the organizational security systems. In addition, providing and capacitate employees with cybersecurity knowledge and information to minimize attack surface.