Chinese advanced persistent threat (APT) gangs Camaro Dragon and SharpPanda have been increasing their attacks on political organisations around the world. Both use malicious backdoors and phishing tactics to aid their intelligence gathering, and are targeting countries in Asia and Europe, as well as members of the G20 group of nations.

A panda. Looking sharp. (Photo by Hung Chung Chih/Shutterstock)

Security company Check Point has uncovered a malicious backdoor on Chinese cyber espionage gang Camaro Dragon’s distribution servers, which communicates with other command and control (C&C) servers thought to belong to the gang. This can be used to gain initial access to systems, allowing hackers to drop more advanced malware.

Chinese cyber spies write a TinyNote

The backdoor, called TinyNote, appears to be distributed in documents with names related to foreign affairs, possibly targeting Southeast and East Asian embassies, a report from Check Point says.

TinyNote is a basic tool for executing commands. “It enables the actors to fingerprint the infected machine, set up persistence, and establish two different ways to execute commands received from the C&C server,” Check Point’s researchers explain.

The custom backdoor is written in the Go programming language, which is not customary for the gang, continues Check Point. It is believed Camaro Dragon is diversifying its attack arsenal, and has added code specifically designed to evade the Indonesian antivirus software Smadav, which is widely used across Asia.

G20 nations targeted by SharpPanda

G20 nations are also being targeted by another cyber espionage gang connected to China, called SharpPanda. Security company Cyble explains that the APT group employs a combination of spear phishing, targeted spam email attempts, potent backdoor malware and Microsoft Office document vulnerabilities, to try to obtain access to sensitive information from governments.

In a similar technique to that deployed by Camaro Dragon, the spam email deploys malware through an attached MS Office document called “[FINAL] Hiroshima Action Statement for Resilient Global Food Security_trackchanged.docx,” giving the impression it refers to deals made at the G7 summit in Japan two weeks ago.

These emails, with the subject line “[Sending Finalized Text] G7+Partners FASS Meeting,” are distributed to multiple employees within government entities across G20 countries.

The emails contain weaponized versions of seemingly genuine official documents, which employ the remote template injection method to retrieve the next stage of the malware from the group’s C&C)server.

Unlike Camaro Dragon’s TinyNote, however, this back door provides numerous capabilities to the cybercriminals, including capturing screenshots of victims’ systems, obtaining titles of all top-level windows and retrieving information about registry keys, among others. 

“The SharpPanda APT group is comprised of exceptionally sophisticated cyber threat actors who execute targeted and extended attacks against specific targets, including governments, organizations, and industries, with the objectives of spying, disruption, or monetary gain,” explains Cyble.

Recently, “their focus has shifted to high-level government officials from G20 countries in Europe, North America, and South Asia,” the report says, adding: “The APT group consistently adapts its techniques and incorporates new tools into its arsenal as it evolves.”

Read more: Hackers exploit MOVEit file transfer vulnerability