Threat Research

Sharp Dragon Expands into Africa and the Caribbean

Checkpoint

Sharp Dragon has expanded its operations from Southeast Asia into Africa and the Caribbean, targeting government entities and using trusted government contacts to establish footholds. The group increasingly relies on Cobalt Strike Beacon, broadens reconnaissance, and leverages compromised infrastructure as C2 while refining its phishing lures and infection chains. Hashtags: #SharpDragon #SharpPanda #RoyalRoad #CobaltStrike #VictoryDLL #SoulSearcher #GoAnywhere #CVE-2023-0669 #Africa #Caribbean #SoutheastAsia

Keypoints

  • Sharp Dragon expands its target geography from Southeast Asia to Africa and the Caribbean, focusing on governmental entities.
  • The group continues to use highly tailored lures, including compromised government accounts and phishing documents leveraging RoyalRoad templates to spread infection.
  • There is a strategic shift to use Cobalt Strike Beacon as the payload, reducing exposure of custom tooling while enabling backdoor access and C2.
  • Reconnaissance is expanding, with the 5.t downloader examining processes and folders to select high-value victims.
  • They exploit public-facing vulnerabilities (notably CVE-2023-0669 in GoAnywhere) to compromise infrastructure later used as C2 servers.
  • Infection chains are evolving to leverage compromised infrastructure as C2 and new delivery methods, including executables disguised as documents and scheduled tasks for persistence.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Use of compromised government accounts to spread a phishing word document that leverages a remote template weaponized using RoyalRoad. Quote: ‘compromising a high-profile email account to spread a phishing word document that leverages a remote template weaponized using RoyalRoad.’
  • [T1190] Exploit Public-Facing Application – Exploitation of the GoAnywhere CVE-2023-0669 vulnerability to enable pre-authentication command injection. Quote: ‘exploited the CVE-2023-0669 vulnerability, which is a flaw in the GoAnywhere platform allowing for pre-authentication command injection.’
  • [T1105] Ingress Tool Transfer – The 5.t downloader delivers and uses Cobalt Strike Beacon as its payload. Quote: ‘the payload of the 5.t downloader’ and ‘Presently, we are witnessing the use of Cobalt Strike Beacon as the payload of the 5.t downloader.’
  • [T1071.001] Web Protocols – C2 communication and command execution over web infrastructure used by Cobalt Strike. Quote: ‘C2 communication and command execution’.
  • [T1036] Masquerading – Executables disguised as documents to masquerade infection stages. Quote: ‘executables disguised as documents.’
  • [T1053.005] Scheduled Task/Job – Persistence via scheduled task creation. Quote: ‘creating a scheduled task for persistence.’
  • [T1057] Process Discovery – Wider recon includes examining process lists. Quote: ‘examining process lists and enumerating folders.’
  • [T1083] File and Directory Discovery – Enumerating folders as part of broader reconnaissance. Quote: ‘enumerating folders.’

Indicators of Compromise

  • [IP] Target network infrastructure / C2 servers – 103.146.78.152, 185.239.226.91
  • [IP] Additional C2 candidate hosts – 38.54.96.97, 38.54.50.182
  • [IP] Additional C2 candidate hosts – 45.76.193.171, 45.251.241.12
  • [IP] GoAnywhere-related infrastructure references – 103.56.17.192
  • [Domain] Command and control domains – schemas.openxmlformats.shop, dueog.xyz
  • [URL] C2 web endpoints – http://13.236.189.80:8000/res/translate.res, https://13.236.189.80:8001/G0AnyWhere_up.jsp?Data=
  • [URL] C2 web endpoints – http://52.236.140.86:8000/res/translation.res, https://52.236.140.86:8001/G0AnyWhere_up.jsp?Data=
  • [Hash] Archives – da78602c2a4490d445706f8f111daba9519fece8, 6783545b9fa8dd14890644c166a35f3cee78329f9522c6ee53149698e5889695
  • [Hash] Docx – 57b64a1ef1b04819ca9473e1bb74e1cf4be76b89b144e030dc1ef48f446ff95b, 2faf9615227728b2e7b9cfc548d4210452adc08b3ec500c1b46f2e04fa165816
  • [Hash] RTF – 180f5a0f9210698b54dcafb9a230b12e3eaf199889e5377a2acb7124c2d48d69, c1e403dd787f197f928960c723866424e343789a0422dbe8c98ed2214500d151
  • [Hash] 5.t loader DLL – 21f173a347ed111ce67e4c0f2c0bd4ee34bb7ca765da03635ca5c0df394cd7e6, 7575ebdd90aa0ab66c4eeaecd628c475e406ac9bcc54de5e01a3d372a050aec7
  • [Hash] 5.t loader EXE – 20a4256443957fbae69c7c666ae025522533b849e01680287177110603a83a41, 1c2a10f282f1a24d88c74d8d324fb59b172cee4ee2e3e3996d9a62ba979812a6
  • [Hash] New EXE Loader – 8e72c9517b0220f8ed6973cfc36f478fc7837fe536c5859554661bc1e7ee4254, 59a9d10eba81d62337f38d8f72a15f283e1f4bc9daa99fe0c08f780f3e4da839
  • [Hash] Cobalt-Strike – 04f7ae8042e0ed457dd6b86d6e8a40bd361357724b38d3aac7358f5e643299c6, 2c7e52eb8290d76780b6ac15a134b58a74c95bc616fd0d91a3f9514409a12846

Read more: https://research.checkpoint.com/2024/sharp-dragon-expands-towards-africa-and-the-caribbean/