Tuesday, March 19, 2024

Twisted Panda: Chinese APT Launch Spy Operation Against Russian Defence Institutes

In an analysis published recently by specialists at Check Point Research, a new spy campaign was discovered, dubbed “Twisted Panda”. This spy operation primarily targeted two Russian defense institutes and a research facility in Belarus.

In the course of an ongoing espionage campaign that has been taking place for several months, this campaign forms part of a larger, Chinese state-sponsored operation.

A variety of malicious stages and payloads have been deployed by the threat actors in this campaign. Moreover, there are also phishing emails containing sanctions-related information that has been sent to Russian entities within the Rostec Corporation, a Russian defense conglomerate.

The invasion of Ukraine was exploited by another Chinese APT group, Mustang Panda, to target Russian organizations at the same time.

It is possible that Twisted Panda is a part of the same spy ring as Mustang Panda or Stone Panda, aka APT10, another Beijing-sponsored spy group.

Infection chain

As recently on March 23, several Russian research institutes affiliated with the defense industry received malicious emails.

A malicious document was attached to the emails with the subject “List of persons under US sanctions for invading Ukraine”, which could be accessed through a link to a fake Russian Health Ministry website minzdravros[.]com.

An email with the subject “US Spread of Deadly Pathogens in Belarus” was sent to an unknown entity in Minsk, Belarus on the same day. 

While all of the documents attached to this email are crafted to appear to be official documents, bearing the official emblems and titles of the Russian Ministry of Health.

A template is downloaded from the URLs for each document in a similar format that can be easily exported. Several API functions are imported into this external template from kernel32, through a macro code.

When the exported function R1 is executed, the malicious files are finalized after initialization by the exported program.

New Spinner backdoor

As the payload, the Spinner a newly added backdoor is the main component, which is obfuscated by using two methods of obfuscation. 

It has been seen that earlier samples attributed to Stone Panda and Mustang Panda attested to the combination of these two obfuscation methods. 

There are two major problems, and here they are:- 

  • Control-flow flattening: Which makes the code flow not linear.
  • Opaque predicates: Which causes unneeded calculations to be performed in the binary. 

In this case, Spinner is the backdoor used by a command-and-control server for the purpose of running additional payloads.

China’s five-year plan also identifies Twisted Panda as part of its effort to improve its scientific and technological capabilities.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

CryptoWire Ransomware Attacking Abuses Schedule Task To maintain Persistence

AhnLab security researchers detected a resurgence of CryptoWire, a ransomware strain originally prevalent in...

E-Root Admin Sentenced to 42 Months in Prison for Selling 350,000 Credentials

Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old...

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated...

Researchers Hack AI Assistants Using ASCII Art

Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts...

Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows

Microsoft has announced an important update for Windows users worldwide in a continuous effort...

Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data

The ongoing "free wedding invite" scam is one of several innovative campaigns aimed at...

Hackers Using Weaponized SVG Files in Cyber Attacks

Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles