Friday, May 24, 2024

Twisted Panda: Chinese APT Launch Spy Operation Against Russian Defence Institutes

In an analysis published recently by specialists at Check Point Research, a new spy campaign was discovered, dubbed “Twisted Panda”. This spy operation primarily targeted two Russian defense institutes and a research facility in Belarus.

In the course of an ongoing espionage campaign that has been taking place for several months, this campaign forms part of a larger, Chinese state-sponsored operation.

A variety of malicious stages and payloads have been deployed by the threat actors in this campaign. Moreover, there are also phishing emails containing sanctions-related information that has been sent to Russian entities within the Rostec Corporation, a Russian defense conglomerate.

The invasion of Ukraine was exploited by another Chinese APT group, Mustang Panda, to target Russian organizations at the same time.

It is possible that Twisted Panda is a part of the same spy ring as Mustang Panda or Stone Panda, aka APT10, another Beijing-sponsored spy group.

Infection chain

As recently on March 23, several Russian research institutes affiliated with the defense industry received malicious emails.

A malicious document was attached to the emails with the subject “List of persons under US sanctions for invading Ukraine”, which could be accessed through a link to a fake Russian Health Ministry website minzdravros[.]com.

An email with the subject “US Spread of Deadly Pathogens in Belarus” was sent to an unknown entity in Minsk, Belarus on the same day. 

While all of the documents attached to this email are crafted to appear to be official documents, bearing the official emblems and titles of the Russian Ministry of Health.

A template is downloaded from the URLs for each document in a similar format that can be easily exported. Several API functions are imported into this external template from kernel32, through a macro code.

When the exported function R1 is executed, the malicious files are finalized after initialization by the exported program.

New Spinner backdoor

As the payload, the Spinner a newly added backdoor is the main component, which is obfuscated by using two methods of obfuscation. 

It has been seen that earlier samples attributed to Stone Panda and Mustang Panda attested to the combination of these two obfuscation methods. 

There are two major problems, and here they are:- 

  • Control-flow flattening: Which makes the code flow not linear.
  • Opaque predicates: Which causes unneeded calculations to be performed in the binary. 

In this case, Spinner is the backdoor used by a command-and-control server for the purpose of running additional payloads.

China’s five-year plan also identifies Twisted Panda as part of its effort to improve its scientific and technological capabilities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Hackers Weaponizing Microsoft Access Documents To Execute Malicious Program

In multiple aggressive phishing attempts, the financially motivated organization UAC-0006 heavily targeted Ukraine, utilizing...

Microsoft Warns Of Storm-0539’s Aggressive Gift Card Theft

Gift cards are attractive to hackers since they provide quick monetization for stolen data...

Kinsing Malware Attacking Apache Tomcat Server With Vulnerabilities

The scalability and flexibility of cloud platforms recently boosted the emerging trend of cryptomining...

NSA Releases Guidance On Zero Trust Maturity To Secure Application From Attackers

Zero Trust Maturity measures the extent to which an organization has adopted and implemented...

Chinese Hackers Stay Hidden On Military And Government Networks For Six Years

Hackers target military and government networks for varied reasons, primarily related to spying, which...

DNSBomb : A New DoS Attack That Exploits DNS Queries

A new practical and powerful Denial of service attack has been discovered that exploits...

Malicious PyPI & NPM Packages Attacking MacOS Users

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.These...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles