China’s national stage group known as camaro dragon is linked to yet another backdoor designed for information gathering purposes.
Israeli cybersecurity firm Check Point, dubbing the Go-based malware TinyNote, said it acts as a first-stage payload capable of “basic machine enumeration and command execution via PowerShell and Goroutines.” rice field.
While the malware lacks sophistication, it does establish redundant methods for maintaining access to compromised hosts through multiple persistence tasks and different methods for communicating with various servers. This makes up for it.
Camaro Dragon overlaps with a threat actor widely tracked as Mustang Panda, a Chinese state-owned group known to have been active since at least 2012.
This threat actor recently gained prominence with a custom bespoke firmware implant dubbed Horse Shell that embeds TP-Link routers into a mesh network that can send and receive commands to and from command and control (C2) servers.
In other words, the goal is to hide malicious activity by using a compromised home router as an intermediate infrastructure that allows communication with infected computers to originate from another node.
The latest findings show that both evasion tactics and targeting of attackers have evolved and become more sophisticated, not to mention the mixture of custom tools used to breach the defenses of various targets. increase.
The TinyNote backdoor is distributed using diplomatic names (e.g. “PDF_ Invited diplomatic contact list”) and may target embassies in Southeast Asia and East Asia. It is also the first known Mustang Panda artifact written in Golang.
A notable aspect of this malware is its ability to specifically bypass an Indonesian antivirus solution called Smadav, highlighting its high level of preparation and deep knowledge of the victim’s environment.
“The TinyNote backdoor highlights Camaro Dragon’s targeted approach and the extensive research they perform before compromising their intended victims’ systems,” Check Point said.
“The use of this backdoor alongside other tools with varying levels of technological advancement means that attackers are actively diversifying their attack vectors.”
This disclosure shows that APT41 (aka Wicked Panda) uses a Living-off-the-land (LotL) technique to launch PowerShell backdoors using legitimate Windows executables called forfiles. This was done in the wake of ThreatMon’s exposure.
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join us for an insightful webinar!
join the session
That’s not all. According to Cyble, government officials from G20 countries have emerged as targets in a new phishing campaign organized by another Chinese threat actor called Sharp Panda.
The email contains a booby-trapped version of what it claims to be an official document and uses a remote template injection technique to extract the next stage downloader from a C2 server using the Royal Road Rich Text Format (RTF) weaponizer. Get
It is worth pointing out that the aforementioned infection chain is consistent with previous Sharp Panda activity, as evidenced by Check Point in a recent attack targeting a government entity in Southeast Asia.
Additionally, the Chinese People’s Liberation Army (PLA) has been found to utilize open source information available from the Internet and other sources for military intelligence purposes in order to gain a strategic advantage over Western powers. .
“The use of OSINT by the PLA is critical for intelligence because the open information environment in the West allows the PLA to easily collect large amounts of open source data, while the Western military must contend with China’s closed information environment. It’s very likely to give us an edge in the world,” Recorded Future noted.
The analysis is based on a list of 50 PLA and Chinese defense industry procurement records published between January 2019 and January 2023.
“Commercial data providers are also aware that China’s military and defense industries may be purchasing data for intelligence purposes, and should consider conducting due diligence when selling data to Chinese companies. should,” the company said.
