At least two research organizations in Russia and a third likely target in Belarus were at the receiving end of an espionage strike by a Chinese country-condition state-of-the-art continuous risk (APT).
The cyberattacks, nicknamed “Twisted Panda,” happened against the background of Russia’s armed forces invasion of Ukraine, prompting a wide range of threat actors to quickly modify their techniques on the current turmoil to disseminate malware and execute opportunistic strikes.
They have manifested in the form of social engineering tactics, with current war and sanctions-themed baits arranged to lure potential victims into clicking damaging links or opening weaponized documents.
Examine Point, an Israeli cybersecurity firm that revealed details of the current intelligence-gathering technique, ascribed it to a Chinese risk actor with ties to Stone Panda (aka APT 10, Cicada, or Potassium) and Mustang Panda (aka Bronze President, HoneyMyte, or RedDelta).
Calling it a continuation of “a long-running espionage campaign against Russian-like businesses that has been in existence since at least June 2021,” the most recent signs of the activity are said to have been discovered as recently as April 2022.
Targets integrated two protection research establishments belonging to the Russian condition-owned defense conglomerate Rostec Company and an unfamiliar entity positioned in the Belarusian town of Minsk.
The phishing attacks commenced with emails that have a hyperlink masquerading as the Health Ministry of Russia, but in reality is an attacker-managed domain, as well as a decoy Microsoft Phrase doc built to trigger the infection and fall a loader.
Apart from establishing persistence through a scheduled process, the 32-bit DLL (“cmpbk32.dll”) is also responsible for launching a second-stage multi-layered loader, which is then unpacked to run the last payload in memory.
The inserted payload, Spinner, a previously undocumented backdoor, may leverage novel strategies including manage move flattening to hide the software move, which was previously found as being used by both Stone Panda and Mustang Panda in their assaults.
“These tools have been in development since at least March 2021 and employ advanced evasion and anti-investigation strategies such as multi-layer in-memory loaders and compiler-stage obfuscations,” according to Look at Place.
Despite its complex coding, Spinner is a barebones implant that can only enumerate infected hosts and run additional payloads downloaded from a remote server.
According to the compilation timestamps of the executables, Test Place uncovered an earlier form of the backdoor that is spread in a similar pattern, indicating that the marketing effort has been active since June 2021.
However, while the older edition lacks the anti-reverse engineering strategies, it compensates by offering additional capabilities not found in Spinner, such as the ability to record and manipulate data files, exfiltrate sensitive information, and run functioning program instructions and arbitrary downloaded payloads.