Cybersecurity researchers at Cyble Research and Intelligence Labs (CRIL) have recently uncovered an ongoing campaign by the sophisticated hacking group known as Sharppanda Apt.

This group, previously observed targeting Government officials in Southeast Asian countries, has now shifted its focus to high-level government officials from G20 nations.

“Previously, this APT group has been observed targeting government officials, particularly in Southeast Asian countries,” said the CRIL report.

“This latest campaign specifically targets high-level government officials from G20 nations.”

The G20, established in 1999, is a prominent international forum comprising 19 countries and the European Union.

This shift in focus raises concerns about the group’s evolving tactics and the potential implications for global security and economic cooperation.

The origins of SharpPanda APT

SharpPanda APT has established a reputation for executing extended and sophisticated cyber attacks against specific geopolitical targets.

It employs strategies such as spear-phishing, social engineering manipulation, and exploiting zero-day vulnerabilities. Governments, organizations, and industries have all fallen victim to their intrusive activities.

The G20, comprised of 19 countries and the European Union, was established in 1999 as an international forum to foster global economic cooperation and address key challenges impacting the worldwide economy.

With member countries representing a diverse range of economies and collectively accounting for a significant share of global GDP and population, the G20 holds annual summits where leaders convene to discuss and coordinate security, economic, and financial policies.

SharpPanda APT campaign and G20 officials

“In its latest campaign, the SharpPanda APT group employs a forged document linked to G7 to target various governments within the G20 forum,” said the CRIL report.

The campaign’s infection chain starts with a spam email containing an attached MS Office document named “[FINAL] Hiroshima Action Statement for Resilient Global Food Security_trackchanged.docx.”

This deceptive email, with the subject line “[Sending Finalized Text] G7+Partners FASS Meeting,” is distributed to multiple government employees across G20 countries.

The attached document, seemingly genuine, uses remote template injection to retrieve the next stage of the malware from the attackers’ Command-and-Control (C&C) server.

The weaponized RTF file within the spam email exploits vulnerabilities in Microsoft Word’s Equation Editor, leveraging a set of specific vulnerabilities (CVE-2018-0802, CVE-2018-0798, and CVE-2017-11882).

These exploits enable the execution of encrypted payloads and shellcode, leading to the establishment of persistence mechanisms within the victims’ systems.

“The emails contain weaponized versions of seemingly genuine official documents, which employ the remote template injection method to retrieve the next stage of the malware from the TA’s Command-and-Control (C&C) server,” the report said.

“Upon opening the document, it initiates the download of a new payload from the attacker’s remote server, which is RTF file serving as the next-level payload.”

Upon successful transmission of the victim’s information to the remote server, the technical actors (TAs) meticulously analyze the gathered data.

If the TAs find the victim’s machine to be of interest, the Command-and-Control (C&C) server reciprocates by providing the next stage executable as a response.

“During the final phase of the infection chain, the malicious loader in the SharpPanda APT campaign is specifically designed to download a backdoor module,” said the report.

“However, during our analysis, no response was received from the remote server.”

SparpPanda APT: Recent campaigns

The rise of nation-sponsored threat groups has been a matter of concern for long.

Check Point Research in June 2021 uncovered a surveillance operation by SharpPanda APT targeting a government entity in Southeast Asia.

The attackers utilize spear-phishing techniques and exploit old Microsoft Office vulnerabilities to deploy an unknown backdoor on victim’s machines, the report said.

The operation is believed to be carried out by a Chinese APT group with a history of refining their tools over the past three years.

The group continued to target Southeast Asian governments, particularly those with territorial disputes or strategic infrastructure projects, Check Point researchers found in March 2023.

Sharp Panda’s tools and Tactics, Techniques, and Procedures (TTPs) were observed in the earlier attacks in Southeast Asia.

These traits include the sharing of custom tools among different groups and the division of tasks, where one entity focuses on initiating the infection while another entity specializes in intelligence gathering.

Researchers found that these common traits were associated with Chinese-based APT operations.