Check Point Research has identified an ongoing cyber espionage campaign by the Chinese threat actor Sharp Dragon (formerly Sharp Panda). This campaign now targets governmental organisations in Africa and the Caribbean, using highly tailored phishing emails and advanced tools like Cobalt Strike Beacon, replacing their previous custom malware. This reflects a previously reported trend for cybercriminals to target less cyber-mature countries before executing attacks against the West.
Sharp Dragon exploits 1-day vulnerabilities and compromised servers for Command and Control (C2) operations, demonstrating refined tactics and increased operational security. By leveraging trusted government entities to infect new targets, the group enhances its infiltration capabilities. This strategic shift underscores a broader effort by Chinese cyber actors to extend their influence in historically overlooked regions.
Check Point Research (CPR) has seen an ongoing cyber espionage campaign focuses on targeting governmental organisations in Africa and the Caribbean. Attributed to a Chinese threat actor Sharp Dragon (formerly Sharp Panda), the campaign adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities like C2 communication and command execution while minimising the exposure of their custom tools. This refined approach suggests a deeper understanding of their targets.
Key Findings
- Sharp Dragon’s (formerly referred to as Sharp Panda) operations continues, expanding their focus now to new regions - Africa and the Caribbean.
- Sharp Dragon utilises trusted government entities to infect new ones and establish initial footholds in new territories.
- The threat actors demonstrate increased caution in selecting their targets, broadening their reconnaissance efforts, and adopting Cobalt Strike Beacon over custom backdoors.
- Throughout their operation, Sharp Dragon exploited 1-day vulnerabilities to compromise infrastructure later used as Command and Control (C2) infrastructure.
Since 2021, Check Point Research has closely monitored the activities of Sharp Dragon, a Chinese threat actor formerly known as Sharp Panda. Their historical tactics primarily involve highly-targeted phishing emails, which have previously resulted in the deployment of malware such of VictoryDLL or the Soul framework. However, a significant shift has been observed in recent months. Sharp Dragon redirected its focus towards governmental organisations in Africa and the Caribbean, demonstrating a clear expansion of their operations beyond their original scope. These activities are consistent with Sharp Dragon's established modus operandi, characterised by the compromise of high-profile email accounts to disseminate phishing documents leveraging a remote template weaponised using RoyalRoad. However, unlike previous tactics, these lures now deploy Cobalt Strike Beacon, indicating a strategic adaptation to enhance their infiltration capabilities.
Infection Chain
First, the threat actors leverage highly tailored phishing emails, often disguised as legitimate correspondence, to entice victims into opening malicious attachments or clicking on malicious links. These attachments or links execute payloads, which have evolved over time from custom malware like VictoryDLL and the Soul framework to more widely used tools such as Cobalt Strike Beacon. Upon successful execution, the malware establishes a foothold on the victim's system, allowing the threat actors to conduct reconnaissance and gather information about the target environment. This reconnaissance phase enables Sharp Dragon to identify high-value targets and tailor their attack strategies accordingly.
Figure 2 : Infection Chain Example
This infection chain highlights Sharp Dragon's sophisticated approach to cyber operations, emphasising careful planning, reconnaissance, and exploitation of vulnerabilities to achieve their objectives while minimising detection.
Tactics, Techniques, and Procedures
While the core functionality remains consistent, CPR has identified changes in their Tactics, Techniques, and Procedures (TTPs). Those changes reflect a more careful target selection and operational security (OPSEC) awareness. Some changes include:
- Wider Recon Collection: The 5.t downloader now conducts more thorough reconnaissance on target systems, this includes examining process lists and enumerating folders, leading to a more discerning selection of potential victims.
- Cobalt Strike Payload: Sharp Dragon has transitioned from using VictoryDll and the SoulSearcher framework to adopting Cobalt Strike Beacon as the payload for the 5.t downloader, providing backdoor functionalities while minimising exposure of custom tools, suggesting a refined approach to target assessment and minimising exposure.
- EXE Loaders: Recent observations indicate a notable change in 5.t downloaders, with some latest samples incorporating EXE-based loaders instead of the typical DLL-based ones, highlighting the dynamic evolution of their strategies. Additionally, Sharp Dragon has introduced a new executable, shifting from the previous Word document-based infection chain to executables disguised as documents, closely resembling the prior method while enhancing persistence through scheduled tasks.
- Compromised Infrastructure: Sharp Dragon shifts from dedicated servers to using compromised servers as Command and Control (C&C) servers, specifically using CVE-2023-0669 vulnerability, which is a flaw in the GoAnywhere platform allowing for pre-authentication command injection
Conclusion
Sharp Dragon’s strategic expansion towards Africa and the Caribbean signifies a broader effort by Chinese cyber actors to enhance their presence and influence in these regions. The evolving tactics of Sharp Dragon underscore the dynamic nature of cyber threats, especially towards regions that have been historically overlooked.