Sharp Panda Expands Cyber Espionage Reach to African and Caribbean Governments

May 23, 2024

The Chinese cyber espionage group known as Sharp Panda has broadened its targeting to include governmental organizations in Africa and the Caribbean, according to a report by the Israeli cybersecurity firm Check Point. The group's refined approach, which includes the use of Cobalt Strike Beacon as the payload, suggests a deeper understanding of their targets.

Sharp Panda first caught attention in June 2021 when it was found to be targeting a Southeast Asian government with a backdoor on Windows systems called VictoryDLL. Since then, the group, now tracked as Sharp Dragon by Check Point, has targeted high-profile government entities in Southeast Asia to deliver the Soul modular malware framework. This framework is used to receive additional components from an actor-controlled server for information gathering. The Soul backdoor appears to have been in development since October 2017, and borrows features from Gh0st RAT, a malware associated with various Chinese threat actors.

Sharp Dragon has also targeted high-level government officials from G20 nations as recently as June 2023, indicating a continued focus on governmental bodies. The group exploits 1-day security flaws, such as CVE-2023-0669, to infiltrate infrastructure for later use as command-and-control servers. The group also utilizes the legitimate adversary simulation framework Cobalt Strike over custom backdoors, which minimizes the exposure of their custom tools.

The latest attacks aimed at governments in Africa and the Caribbean demonstrate an expansion of Sharp Panda's original attack goals. The group uses compromised high-profile email accounts in Southeast Asia to send out phishing emails to new targets in these regions. These emails contain malicious attachments that use the Royal Road Rich Text Format weaponizer to drop a downloader named 5.t, which conducts reconnaissance and launches Cobalt Strike.

The shift in Sharp Dragon's activities towards Africa is part of larger efforts by China to extend its influence on the continent. These attacks align with China's broader soft power and technological agenda in the region, focusing on critical areas such as the telecommunication sector, financial institutions, and governmental bodies.

China also uses proxy networks, known as operational relay box networks (ORBs), to obscure their origins when conducting espionage operations. These networks allow China to achieve higher success rates in gaining and maintaining access to high-value networks. Networks like ORB3 (aka SPACEHOP) have been used by multiple China-nexus threat actors, including APT5 and APT15, while another network named FLORAHOX has been used by APT31.

Related News

• Critical Exploit Released for Fortra's GoAnywhere MFT Authentication Bypass Vulnerability
• Critical Authentication Bypass Vulnerability in GoAnywhere MFT: Urgent Patch Recommended
• MGM Under Fire for Repeated Cybersecurity Lapses: BlackCat Ransomware Gang Suspected
• Rise in Ransomware Attacks Through Zero-Day Exploits: An Analysis
• Brightline Data Breach Affects Over 780K Pediatric Mental Health Patients

Latest News

• GitLab Patches High-Severity Flaw Allowing Account Takeovers
• CISA Issues Alert over Active Exploitation of Apache Flink Vulnerability
• GHOSTENGINE Uses Vulnerable Drivers to Disable EDRs in Sophisticated Cryptojacking Attack
• Microsoft Exchange Server Vulnerabilities Leveraged in Keylogger Attacks
• Critical Security Flaw in Veeam Backup Enterprise Manager: Urgent Patch Required