Cyble – SharpPanda APT Campaign Expands Its Arsenal Targeting G20 Nations

MITRE Techniques

• [T1566] Spear-phishing Attachment – The infection process initiates through a spam email comprising an attached MS Office document named ‘[FINAL] Hiroshima Action Statement for Resilient Global Food Security_trackchanged.docx.’ These emails, with the subject line ‘[Sending Finalized Text] G7+Partners FASS Meeting,’ are distributed to multiple employees within government entities across G20 countries. – “The infection process initiates through a spam email comprising an attached MS Office document named [FINAL] Hiroshima Action Statement for Resilient Global Food Security_trackchanged.docx. These emails, with the subject line [Sending Finalized Text] G7+Partners FASS Meeting, are distributed to multiple employees within government entities across G20 countries.”
• [T1204] User Execution – The weaponized documents prompt users to open them, enabling the next stage via remote template injection to retrieve payload from C2. – “The emails contain weaponized versions of seemingly genuine official documents, which employ the remote template injection method to retrieve the next stage of the malware from the TA’s Command-and-Control (C&C) server.”
• [T1203] Exploitation for Client Execution – RoyalRoad weaponizes the RTF by exploiting Microsoft Word’s Equation Editor vulnerabilities to deliver code. – “RoyalRoad leverages a specific set of vulnerabilities, including CVE-2018-0802, CVE-2018-0798, and CVE-2017-11882, within the Equation Editor of Microsoft Office.”
• [T1053] Scheduled Task – The loader creates a persistent scheduled task that runs a DLL export daily. – “creating a scheduled task entry, which executes the export function ‘StartA’ from the DLL ‘c6gt.b’ using rundll32.exe on a daily basis.”
• [T1497] Virtualization/Sandbox Evasion – The loader incorporates anti-analysis techniques to hinder detection. – “anti-analysis and anti-debugging techniques into their loaders to avoid being detected.”
• [T1027] Obfuscated/Compressed Files or Information – The RTF contains an encrypted payload and shellcode. – “The RTF file includes both an encrypted payload and shellcode.”
• [T1082] System Information Discovery – The loader collects host machine details and security status. – “The loader collects various data from the victim’s computer. This includes the hostname, operating system name, OS version, username, Internet information, as well as the presence of any installed anti-virus software on the machine.”
• [T1105] Ingress Tool Transfer – The initial payload is downloaded from a remote C2 server. – “Upon opening the document, it initiates the download of a new payload from the attacker’s remote server (hxxp[:]//13[.]236[.]189[.]80:8000/res/translate[.]res), which is RTF file serving as the next-level payload.”
• [T1065] Uncommonly Used Port – C2 communications occur via non-standard ports. – “hxxps://13[.]236[.]189[.]80:8001/G0AnyWhere_up[.]jsp?Data=[redacted]”
• [T1071] Application Layer Protocol – Exfiltration over an HTTP(s)-like channel to the C2. – “The encrypted data is then exfiltrated using the below C&C URL: hxxps://13[.]236[.]189[.]80:8001/G0AnyWhere_up[.]jsp?Data=[redacted]”