Key Findings <\/p>\n
Since 2021, Check Point Research has been closely monitoring the activities of Sharp Dragon (Formerly referred to as Sharp Panda*), a Chinese threat actor. Historical activities mostly consist of highly-targeted phishing emails, previously leading to the deployment ofVictoryDLLorSoulframework. <\/p>\n
While the final payloads Sharp Dragon operators have deployed overtime changed, their modus operandi has been persistent, and more so, their targets, who have remained within the confines of South-East Asia in the years we were tracking them, up until recently. <\/p>\n
In recent months, we have observed a significant shift in Sharp Dragons activities and lures, now targeting governmental organizations in Africa and the Caribbean. Those activities very much align with known Sharp Dragon modus operandi, and were characterized by compromising a high-profile email account to spread a phishing word document that leverages a remote template weaponized usingRoyalRoad. Unlike previous activities, those lures were used to deploy Cobalt Strike Beacon. <\/p>\n
* As part of an ongoing effort to avoid confusion with other vendors naming conventions, the name was changed. <\/p>\n
Starting November 2023, we observed Sharp Dragons increased interest in governmental entities in Africa and the Caribbean. This interest manifested by directly targeting government organizations within the two regions, by exploiting previously compromised entities in Southeast Asia. Utilizing highly-tailored lures that deal with relations between countries in South-East Asia and the two regions, Sharp Dragon threat actors have established their first footholds in two new territories. <\/p>\n
The first identified phishing attack targeting Africa was sent out fromCountry A (South-East Asia) toCountry B(Africa) in November of 2023, using a lure about industrial relations between countries in South-East Asia and Africa. The document is very thorough, and its contents were likely taken from an authentic correspondence between the two countries. <\/p>\n
Figure 2 Lure document targeting Country B in Africa <\/p>\n
Following those lures, weve also observed direct targeting within Africa in January of 2024, originating fromCountry B, originally targeted in November, likely indicating some of the phishing attacks were successful. <\/p>\n
Sharp Dragons interest in Africa does not come in a vacuum, as weve observed a set of Chinese affiliated threat actors targeting the region lately. This is also correlated withobservationsmade by other vendors, who observe sustained tasking toward targeting in the region. It appears that Sharp Dragons activities are part of a larger effort carried out by Chinese threat actors. <\/p>\n
In a similar manner to Africa, Sharp Dragons operators have utilized their previous access to compromised governmental entities in South-East AsiaCountry Ato target governmental organizations inCountry C,which is in the Caribbean. The first set of identified malicious documents sent out from the compromised network was sent out in December of 2023 and used a Caribbean Commonwealth meeting lure, named Caribbean Clerks Programme. This lure was sent out to a Foreign Affairs ministry ofCountry C. <\/p>\n
Figure 3 Caribbean-themed lure sent to a Southeast Asian government. <\/p>\n
Not long afterwards, in January of 2024, much like in Africa,Country Ccompromised governmental email infrastructure was used to send out a large-scale phishing campaign targeting a wide set of governments in the Caribbean, this time, using a lure of a legitimate looking survey around the Opioid threat in the Eastern Caribbean. <\/p>\n
In our ongoing efforts to track Sharp Dragon activities, weve identified various minor changes in their Tactics, Techniques, and Procedures (TTPs), while the core functionality remains consistent. Those changes reflect a more careful target selection and operational security (OPSEC) awareness. Among those changes are: <\/p>\n
The 5.t downloader now conducts more thorough reconnaissance on target systems, this includes examining process lists and enumerating folders, leading to a more discerning selection of potential victims. <\/p>\n
Additionally, we observed a change in the delivered payload: if the machine is deemed attractive by the attackers, a payload is sent. When Check Point Research firstexposedthis operation in 2021, the payload was VictoryDll, a custom and unique malware enabling remote access and data collection from infected devices. Subsequently, as we continued tracking Sharp Dragons operations, we observed the adoption of the SoulSearcher framework. <\/p>\n
Presently, we are witnessing the use of Cobalt Strike Beacon as the payload of the 5.t downloader. This choice provides backdoor functionalities, such as C2 communication and command execution, without the risk of exposing their custom tools. However, we assume that the Cobalt Strike beacon serves as their primary tool for assessing the attacked environment, while their custom tools come into play at a later stage, which we have yet to witness. This refined approach indicates a deeper understanding of their targets and a desire to minimize exposure, likely resulting from public disclosures of their activities. <\/p>\n
Cobalt Strike Configuration: <\/p>\n
Another notable change is observed in the 5.t downloaders: some of the latest samples deviate from the usual DLL-based loaders, incorporating EXE-based 5.t loader samples. While not all the latest samples have shifted to DLLs, this change underscores the dynamic nature of their evolving strategies. <\/p>\n
Recently Sharp Dragon has also introduced another executable, altering the initial phase of the infection chain. Instead of relying on a Word document utilizing remote template to download an RTF file weaponized with RoyalRoad, they started using executables disguised as documents. This new method closely resembles the previous infection chain, as the executable writes 5.t DLL loader and executes it, while also creating a scheduled task for persistence. <\/p>\n
Sharp Dragon not only utilized compromised government infrastructure to target other governments but also shifted from dedicated servers to using compromised servers as C&C servers. During acampaignconducted in May 2023, our team observed that certain servers used by Sharp Dragon as C2 were likely legitimate servers that were compromised. Our suspicion is thatSharp Dragonexploited theCVE-2023-0669 vulnerability, which is a flaw in theGoAnywhere platformallowing for pre-authentication command injection, this vulnerability was disclosed shortly before the incidents occurred. <\/p>\n
The data collected from the affected machine was subsequently sent to the following address:https:\/\/ This research highlights Sharp Dragons strategic shift towards Africa and the Caribbean, suggesting its part in a broader effort carried out by Chinese cyber actors to enhance their presence and influence in these two regions. This move comes after a considerable period of activity in South-East Asia, which was leveraged by Sharp Dragon actors, to establish initial footholds in countries in Africa and the Caribbean. <\/p>\n These changes in Sharp Dragons tactics, showing more careful selection of targets and the use of publicy and readily available tools, is an indication of a refined approach by this threat actor to target high-profile organizations. These findings bring attention to the evolving nature of Chinese threat actors, especially towards regions that have been somewhat overlooked in global cybersecurity and by the threat intelligence community. <\/p>\n Check Point Customers Remain Protected Against the Threats Described in this Report. <\/p>\n Harmony Endpoint provides comprehensive endpoint protection at the highest security level and protects with the following: <\/p>\n Threat Emulation: <\/p>\n Hashes: <\/p>\n Archives <\/p>\n Docx <\/p>\n RTF <\/p>\n 5.t loader DLL <\/p>\n 5.t loader EXE <\/p>\n New EXE Loader <\/p>\n Cobalt-Strike <\/p>\n C&C servers <\/p>\n Cobalt-Strike path <\/p>\n Mutex <\/p>\n PDB <\/p>\n <\/p>\n Original post:<\/p>\n Sharp Dragon Expands Towards Africa and The Caribbean - Check Point Research - Check Point Research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Key Findings Since 2021, Check Point Research has been closely monitoring the activities of Sharp Dragon (Formerly referred to as Sharp Panda*), a Chinese threat actor. Historical activities mostly consist of highly-targeted phishing emails, previously leading to the deployment ofVictoryDLLorSoulframework. Continue reading