Cobalt Strike has become the main cyber weapon against government structures in the region.
Chinese hacker group Sharp Panda, known for its cyber espionage campaigns, has launched attacks on government organizations in Africa and the Caribbean. This was reported by experts from Check Point in their recent report.
The campaign uses the Beacon malware, which is part of the Cobalt Strike framework, and provides functions for remote management of infected systems and command execution. Using this toolkit allows you to minimize the use of custom tools and reduce the risk of their detection. According to Check Point experts, this approach indicates a deep understanding of the goals of attacks.
Sharp Panda, also known as Sharp Dragon, was first detected in June 2021, when it attacked the government of a country in Southeast Asia using the VictoryDLL malware. In subsequent attacks, hackers used the modular Soul framework, which allows them to obtain additional components from servers controlled by attackers for advanced information collection.
Research shows that the development of Soul began in October 2017. This backdoor includes features borrowed from Gh0st RAT and other publicly available tools frequently used by Chinese cybercriminals.
In June 2023, the group attacked senior officials from G20 countries, indicating a continued targeting of government entities for information gathering. An important element of Sharp Panda's operations is the exploitation of zero-day vulnerabilities, such as CVE-2023-0669, to infiltrate the infrastructure and use it as C2 servers.
Recent attacks on Governments in Africa and the Caribbean demonstrate the expansion of targets for attacks. Attackers use hacked email accounts of high-ranking individuals from Southeast Asia to send phishing emails with malicious attachments that use the Royal Road tool to distribute the "5.t"downloader. This loader performs intelligence and launches the Cobalt Strike Beacon, which allows hackers to pinpoint information about target systems.
Using Cobalt Strike not only reduces the risk of detection of custom tools, but also indicates an "improved approach to evaluating targets," as Check Point notes. So, recently hackers have also started using executable files disguised as documents to increase the chance of infection, which is evidence of the constant improvement of their tactics.
Sharp Dragon's strategic expansion to Africa and the Caribbean reflects the desire of Chinese cybercriminals to increase their presence and influence in these regions.
Hacker groups like Sharp Panda are constantly improving their methods, adapting tactics and using the latest tools to infiltrate government structures in various countries. Their activities extend beyond individual regions, indicating a desire to expand their influence and collect confidential information on a global scale.
Such malicious activity underscores the need to improve cybersecurity and strengthen international cooperation in the fight against cybercrime to protect critical government structures and data.
Chinese hacker group Sharp Panda, known for its cyber espionage campaigns, has launched attacks on government organizations in Africa and the Caribbean. This was reported by experts from Check Point in their recent report.
The campaign uses the Beacon malware, which is part of the Cobalt Strike framework, and provides functions for remote management of infected systems and command execution. Using this toolkit allows you to minimize the use of custom tools and reduce the risk of their detection. According to Check Point experts, this approach indicates a deep understanding of the goals of attacks.
Sharp Panda, also known as Sharp Dragon, was first detected in June 2021, when it attacked the government of a country in Southeast Asia using the VictoryDLL malware. In subsequent attacks, hackers used the modular Soul framework, which allows them to obtain additional components from servers controlled by attackers for advanced information collection.
Research shows that the development of Soul began in October 2017. This backdoor includes features borrowed from Gh0st RAT and other publicly available tools frequently used by Chinese cybercriminals.
In June 2023, the group attacked senior officials from G20 countries, indicating a continued targeting of government entities for information gathering. An important element of Sharp Panda's operations is the exploitation of zero-day vulnerabilities, such as CVE-2023-0669, to infiltrate the infrastructure and use it as C2 servers.
Recent attacks on Governments in Africa and the Caribbean demonstrate the expansion of targets for attacks. Attackers use hacked email accounts of high-ranking individuals from Southeast Asia to send phishing emails with malicious attachments that use the Royal Road tool to distribute the "5.t"downloader. This loader performs intelligence and launches the Cobalt Strike Beacon, which allows hackers to pinpoint information about target systems.
Using Cobalt Strike not only reduces the risk of detection of custom tools, but also indicates an "improved approach to evaluating targets," as Check Point notes. So, recently hackers have also started using executable files disguised as documents to increase the chance of infection, which is evidence of the constant improvement of their tactics.
Sharp Dragon's strategic expansion to Africa and the Caribbean reflects the desire of Chinese cybercriminals to increase their presence and influence in these regions.
Hacker groups like Sharp Panda are constantly improving their methods, adapting tactics and using the latest tools to infiltrate government structures in various countries. Their activities extend beyond individual regions, indicating a desire to expand their influence and collect confidential information on a global scale.
Such malicious activity underscores the need to improve cybersecurity and strengthen international cooperation in the fight against cybercrime to protect critical government structures and data.
