View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Chinese cybercriminals Camaro Dragon and SharpPanda target embassies and G20 nations

Two APT groups operating out of Beijing have been increasing their attacks on political organisations.

By Claudia Glover

Chinese advanced persistent threat (APT) gangs Camaro Dragon and SharpPanda have been increasing their attacks on political organisations around the world. Both use malicious backdoors and phishing tactics to aid their intelligence gathering, and are targeting countries in Asia and Europe, as well as members of the G20 group of nations.

A panda. Looking sharp. (Photo by Hung Chung Chih/Shutterstock)

Security company Check Point has uncovered a malicious backdoor on Chinese cyber espionage gang Camaro Dragon’s distribution servers, which communicates with other command and control (C&C) servers thought to belong to the gang. This can be used to gain initial access to systems, allowing hackers to drop more advanced malware.

Chinese cyber spies write a TinyNote

The backdoor, called TinyNote, appears to be distributed in documents with names related to foreign affairs, possibly targeting Southeast and East Asian embassies, a report from Check Point says.

TinyNote is a basic tool for executing commands. “It enables the actors to fingerprint the infected machine, set up persistence, and establish two different ways to execute commands received from the C&C server,” Check Point’s researchers explain.

The custom backdoor is written in the Go programming language, which is not customary for the gang, continues Check Point. It is believed Camaro Dragon is diversifying its attack arsenal, and has added code specifically designed to evade the Indonesian antivirus software Smadav, which is widely used across Asia.

G20 nations targeted by SharpPanda

G20 nations are also being targeted by another cyber espionage gang connected to China, called SharpPanda. Security company Cyble explains that the APT group employs a combination of spear phishing, targeted spam email attempts, potent backdoor malware and Microsoft Office document vulnerabilities, to try to obtain access to sensitive information from governments.

In a similar technique to that deployed by Camaro Dragon, the spam email deploys malware through an attached MS Office document called “[FINAL] Hiroshima Action Statement for Resilient Global Food Security_trackchanged.docx,” giving the impression it refers to deals made at the G7 summit in Japan two weeks ago.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

These emails, with the subject line “[Sending Finalized Text] G7+Partners FASS Meeting,” are distributed to multiple employees within government entities across G20 countries.

The emails contain weaponized versions of seemingly genuine official documents, which employ the remote template injection method to retrieve the next stage of the malware from the group’s C&C)server.

Unlike Camaro Dragon’s TinyNote, however, this back door provides numerous capabilities to the cybercriminals, including capturing screenshots of victims’ systems, obtaining titles of all top-level windows and retrieving information about registry keys, among others. 

“The SharpPanda APT group is comprised of exceptionally sophisticated cyber threat actors who execute targeted and extended attacks against specific targets, including governments, organizations, and industries, with the objectives of spying, disruption, or monetary gain,” explains Cyble.

Recently, “their focus has shifted to high-level government officials from G20 countries in Europe, North America, and South Asia,” the report says, adding: “The APT group consistently adapts its techniques and incorporates new tools into its arsenal as it evolves.”

Read more: Hackers exploit MOVEit file transfer vulnerability

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.