Tuesday, December 3, 2024
HomeCyber Security NewsTwisted Panda: Chinese APT Launch Spy Operation Against Russian Defence Institutes

Twisted Panda: Chinese APT Launch Spy Operation Against Russian Defence Institutes

Published on

SIEM as a Service

In an analysis published recently by specialists at Check Point Research, a new spy campaign was discovered, dubbed “Twisted Panda”. This spy operation primarily targeted two Russian defense institutes and a research facility in Belarus.

In the course of an ongoing espionage campaign that has been taking place for several months, this campaign forms part of a larger, Chinese state-sponsored operation.

A variety of malicious stages and payloads have been deployed by the threat actors in this campaign. Moreover, there are also phishing emails containing sanctions-related information that has been sent to Russian entities within the Rostec Corporation, a Russian defense conglomerate.

- Advertisement - SIEM as a Service

The invasion of Ukraine was exploited by another Chinese APT group, Mustang Panda, to target Russian organizations at the same time.

It is possible that Twisted Panda is a part of the same spy ring as Mustang Panda or Stone Panda, aka APT10, another Beijing-sponsored spy group.

Infection chain

As recently on March 23, several Russian research institutes affiliated with the defense industry received malicious emails.

A malicious document was attached to the emails with the subject “List of persons under US sanctions for invading Ukraine”, which could be accessed through a link to a fake Russian Health Ministry website minzdravros[.]com.

An email with the subject “US Spread of Deadly Pathogens in Belarus” was sent to an unknown entity in Minsk, Belarus on the same day. 

While all of the documents attached to this email are crafted to appear to be official documents, bearing the official emblems and titles of the Russian Ministry of Health.

A template is downloaded from the URLs for each document in a similar format that can be easily exported. Several API functions are imported into this external template from kernel32, through a macro code.

When the exported function R1 is executed, the malicious files are finalized after initialization by the exported program.

New Spinner backdoor

As the payload, the Spinner a newly added backdoor is the main component, which is obfuscated by using two methods of obfuscation. 

It has been seen that earlier samples attributed to Stone Panda and Mustang Panda attested to the combination of these two obfuscation methods. 

There are two major problems, and here they are:- 

  • Control-flow flattening: Which makes the code flow not linear.
  • Opaque predicates: Which causes unneeded calculations to be performed in the binary. 

In this case, Spinner is the backdoor used by a command-and-control server for the purpose of running additional payloads.

China’s five-year plan also identifies Twisted Panda as part of its effort to improve its scientific and technological capabilities.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...