Key Findings

Sharp Dragon’s (Formerly referred to as Sharp Panda) operations continue, expanding their focus now to new regions – Africa and the Caribbean.
Sharp Dragon, a Chinese threat actor, utilizes trusted government entities to infect new ones and establish initial footholds in new territories.
The threat actors demonstrate increased caution in selecting their targets, broadening their reconnaissance efforts, and adopting Cobalt Strike Beacon over custom backdoors.
Throughout their operation, Sharp Dragon exploited 1-day vulnerabilities to compromise infrastructure later used as Command and Control (C2) infrastructure.

Introduction

Since 2021, Check Point Research has been closely monitoring the activities of Sharp Dragon (Formerly referred to as Sharp Panda*), a Chinese threat actor. Historical activities mostly consist of highly-targeted phishing emails, previously leading to the deployment of VictoryDLL or Soul framework.

While the final payloads Sharp Dragon operators have deployed overtime changed, their modus operandi has been persistent, and more so, their targets, who have remained within the confines of South-East Asia in the years we were tracking them, up until recently.

In recent months, we have observed a significant shift in Sharp Dragon’s activities and lures, now targeting governmental organizations in Africa and the Caribbean. Those activities very much align with known Sharp Dragon modus operandi, and were characterized by compromising a high-profile email account to spread a phishing word document that leverages a remote template weaponized using RoyalRoad. Unlike previous activities, those lures were used to deploy Cobalt Strike Beacon.

* As part of an ongoing effort to avoid confusion with other vendors naming conventions, the name was changed.

Inter-Government Relations as an Attack Vector

Starting November 2023, we observed Sharp Dragon’s increased interest in governmental entities in Africa and the Caribbean. This interest manifested by directly targeting government organizations within the two regions, by exploiting previously compromised entities in Southeast Asia. Utilizing highly-tailored lures that deal with relations between countries in South-East Asia and the two regions, Sharp Dragon threat actors have established their first footholds in two new territories.

Figure 1- Sharp Dragon’s shift to target Africa and the Caribbean

Sharp Dragon’s Cyber Activities in Africa

The first identified phishing attack targeting Africa was sent out from Country A (South-East Asia) to Country B (Africa) in November of 2023, using a lure about industrial relations between countries in South-East Asia and Africa. The document is very thorough, and its contents were likely taken from an authentic correspondence between the two countries.

Figure 2 – Lure document targeting Country B in Africa

Following those lures, we’ve also observed direct targeting within Africa in January of 2024, originating from Country B, originally targeted in November, likely indicating some of the phishing attacks were successful.

Sharp Dragon’s interest in Africa does not come in a vacuum, as we’ve observed a set of Chinese affiliated threat actors targeting the region lately. This is also correlated with observations made by other vendors, who observe sustained tasking toward targeting in the region. It appears that Sharp Dragon’s activities are part of a larger effort carried out by Chinese threat actors.

Sharp Dragon’s Activity in the Caribbean

In a similar manner to Africa, Sharp Dragon’s operators have utilized their previous access to compromised governmental entities in South-East Asia Country A to target governmental organizations in Country C, which is in the Caribbean. The first set of identified malicious documents sent out from the compromised network was sent out in December of 2023 and used a Caribbean Commonwealth meeting lure, named “Caribbean Clerks Programme”. This lure was sent out to a Foreign Affairs ministry of Country C.

Figure 3 – Caribbean-themed lure sent to a Southeast Asian government.

Not long afterwards, in January of 2024, much like in Africa, Country C compromised governmental email infrastructure was used to send out a large-scale phishing campaign targeting a wide set of governments in the Caribbean, this time, using a lure of a legitimate – looking survey around the Opioid threat in the Eastern Caribbean.

Figure 4 – One of the lures sent to governmental entities in the Caribbean region

Technical Analysis

Figure 5 – Sharp Dragon’s Infection chain since May 2023 campaign

In our ongoing efforts to track Sharp Dragon activities, we’ve identified various minor changes in their Tactics, Techniques, and Procedures (TTPs), while the core functionality remains consistent. Those changes reflect a more careful target selection and operational security (OPSEC) awareness. Among those changes are:

Wider Recon Collection

The 5.t downloader now conducts more thorough reconnaissance on target systems, this includes examining process lists and enumerating folders, leading to a more discerning selection of potential victims.

HTN:<hostname>
OSN:<os name>
OSV:<os version>
URN:<username>
ITF:NetworkCard:1 <Network card info> NetworkCard:2 <Network card info> … ;
PGF:[Program Files]-><list of subfolders>|[Program Files (x86)]-><list of subfolders>
PSL:([System Process])<list of running processes>

Cobalt Strike Payload

Additionally, we observed a change in the delivered payload: if the machine is deemed attractive by the attackers, a payload is sent. When Check Point Research first exposed this operation in 2021, the payload was VictoryDll, a custom and unique malware enabling remote access and data collection from infected devices. Subsequently, as we continued tracking Sharp Dragon’s operations, we observed the adoption of the SoulSearcher framework.

Presently, we are witnessing the use of Cobalt Strike Beacon as the payload of the 5.t downloader. This choice provides backdoor functionalities, such as C2 communication and command execution, without the risk of exposing their custom tools. However, we assume that the Cobalt Strike beacon serves as their primary tool for assessing the attacked environment, while their custom tools come into play at a later stage, which we have yet to witness. This refined approach indicates a deeper understanding of their targets and a desire to minimize exposure, likely resulting from public disclosures of their activities.

Cobalt Strike Configuration:

{
“config_type”: “static”,
“spawnto_x64”: “%windir%\sysnative\Locator.exe”,
“spawnto_x86”: “%windir%\syswow64\Locator.exe”,
“uses_cookies”: “True”,
“bstagecleanup”: “True”,
“crypto_scheme”: 0,
“proxy_behavior”: “Use IE settings”,
“server,get-uri”: “103.146.78.152,/ajax/libs/json2/20160511/json_parse_state.js”,
“http_get_header”: [
“Const_header Accept: application/*, image/*, text/html”,
“Const_header Accept-Language: es”,
“Const_header Accept-Encoding: compress, br”,
“Build Metadata”,
“XOR mask w/ random key”,
“Base64 URL-safe decode”,
“Prepend JV6_IB4QESMW4TOIQLJRX69Q7LPGNXW594C5=”,
“Build End”,
“Header Cookie”
]
}

EXE Loaders

Another notable change is observed in the 5.t downloaders: some of the latest samples deviate from the usual DLL-based loaders, incorporating EXE-based 5.t loader samples. While not all the latest samples have shifted to DLLs, this change underscores the dynamic nature of their evolving strategies.

Recently Sharp Dragon has also introduced another executable, altering the initial phase of the infection chain. Instead of relying on a Word document utilizing remote template to download an RTF file weaponized with RoyalRoad, they started using executables disguised as documents. This new method closely resembles the previous infection chain, as the executable writes 5.t DLL loader and executes it, while also creating a scheduled task for persistence.

Figure 6 – Sharp Dragon’s new infection chain

Compromised Infrastructure

Sharp Dragon not only utilized compromised government infrastructure to target other governments but also shifted from dedicated servers to using compromised servers as C&C servers. During a campaign conducted in May 2023, our team observed that certain servers used by Sharp Dragon as C2 were likely legitimate servers that were compromised. Our suspicion is that Sharp Dragon exploited the CVE-2023-0669 vulnerability, which is a flaw in the GoAnywhere platform allowing for pre-authentication command injection, this vulnerability was disclosed shortly before the incidents occurred.

The data collected from the affected machine was subsequently sent to the following address: https://<C2_addres>:<port>/G0AnyWhere_up.jsp?Data=. This address masquerades as belonging to the GoAnywhere service, a file transfer software.

Conclusion

This research highlights Sharp Dragon’s strategic shift towards Africa and the Caribbean, suggesting its part in a broader effort carried out by Chinese cyber actors to enhance their presence and influence in these two regions. This move comes after a considerable period of activity in South-East Asia, which was leveraged by Sharp Dragon actors, to establish initial footholds in countries in Africa and the Caribbean.

These changes in Sharp Dragon’s tactics, showing more careful selection of targets and the use of publicy and readily available tools, is an indication of a refined approach by this threat actor to target high-profile organizations. These findings bring attention to the evolving nature of Chinese threat actors, especially towards regions that have been somewhat overlooked in global cybersecurity and by the threat intelligence community.

Check Point Customers Remain Protected Against the Threats Described in this Report.

Harmony Endpoint provides comprehensive endpoint protection at the highest security level and protects with the following:

Trojan.Win.SharpDragon.B
Trojan.Win.SharpDragon.C

Threat Emulation:

Trojan.Wins.Royalroad.ta.A
APT.Wins.SharpPanda.*

Indicators of Compromise

Hashes:

Archives

da78602c2a4490d445706f8f111daba9519fece8
6783545b9fa8dd14890644c166a35f3cee78329f9522c6ee53149698e5889695
cd737ac8d66a47d341dd4a3c98ab0d2c77c7558d9a0161f7d08a4ab310d440ba

Docx

57b64a1ef1b04819ca9473e1bb74e1cf4be76b89b144e030dc1ef48f446ff95b
2faf9615227728b2e7b9cfc548d4210452adc08b3ec500c1b46f2e04fa165816
0373ef0a7874bd8506dc64dd82ef2c6d7661a3250c8a9bb8cb8cb75a7330c1d2
bff674439ea8333b227f6d05caa05b2e3fe592825abd63272d4f1e4c2dfa88ea
362b9f497fce52a3f14ad9de2a027d974cc810473c929fed7c37526d2f13f83a

RTF

180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69
c1e403dd787f197f928960c723866424e343789a0422dbe8c98ed2214500d151
ff35cfed656c0cac5571beae7170a2fec007e75417c1d0c4fd7af4185759ec38
9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31
708722bafe35a9fdc94ac33b1970776c464f1bb4e9c2ea1c1dba3a9e1ba03ab3
9885b220b9654ac4743fe907e67da38d723fee2abf2dcd5944aa3a00c4a59c31

5.t loader DLL

21f173a347ed111ce67e4c0f2c0bd4ee34bb7ca765da03635ca5c0df394cd7e6
7575ebdd90aa0ab66c4eeaecd628c475e406ac9bcc54de5e01a3d372a050aec7
b952a459dac430d006a4d573612ca8474a410310792ea8141f9ab339214f4e57
42095521622c055db8d79441317952c0899c34d7b776f6f45855581fb86522dc
941e52ce5ce89b7307bdfe1b88657dfd76892b475971b86683cfc6fbca23e209
e848355359de1e59901aa387f2d208889c368663438909fd3bb0a97566de2b2d
cc805511e106a9b5302a4db4bfbb98609aca3dcbd2f709aee8ae316f479dfd49
ea72011929dece4684a2dcb5b76f34cef437dbe50306f19c531d632bf26e7f32
7b21b95c4256308e8089bff38d5d20845f2dc28fa9e536de979ceab9b7962afa
e6faf05234ceaaba3bdcca60285a7ba83eea229a0ca241e94fb314a73ad98d87

5.t loader EXE

20a4256443957fbae69c7c666ae025522533b849e01680287177110603a83a41
1c2a10f282f1a24d88c74d8d324fb59b172cee4ee2e3e3996d9a62ba979812a6

New EXE Loader

8e72c9517b0220f8ed6973cfc36f478fc7837fe536c5859554661bc1e7ee4254
59a9d10eba81d62337f38d8f72a15f283e1f4bc9daa99fe0c08f780f3e4da839
1db1cf2df0551762eaef0a92923da2f3d032663fdcb331d9474f5398b8ae4398

Cobalt-Strike

04f7ae8042e0ed457dd6b86d6e8a40bd361357724b38d3aac7358f5e643299c6
2c7e52eb8290d76780b6ac15a134b58a74c95bc616fd0d91a3f9514409a12846

C&C servers

103.146.78[.]152
185.239.226[.]91
38.54.96[.]97
38.54.50[.]182
45.76.193[.]171
45.251.241[.]12
103.56.17[.]192
schemas.openxmlformats[.]shop
dueog[.]xyz
http://13.236.189[.]80:8000/res/translate.res
https://13.236.189[.]80:8001/G0AnyWhere_up.jsp?Data=
http://52.236.140[.]86:8000/res/translation.res
https://52.236.140[.]86:8001/G0AnyWhere_up.jsp?Data=

Cobalt-Strike path

https://<c2 addres>/ajax/libs/json2/20160511/json_parse_state.js

Mutex

mt_app_http_get_zed2vsp

PDB

D:Project_new_plain_start1_XXX_64bit1_XXXx64Release1_XXX.pdb
d:projectdownloaderdll_rlsdownloader.pdb

The post Sharp Dragon Expands Towards Africa and The Caribbean appeared first on Check Point Research.

Article Link: Sharp Dragon Expands Towards Africa and The Caribbean – Check Point Research

1 post – 1 participant

Read full topic