Chinese cyber-espionage group Emissary Panda has been targeting government organizations in two different countries in the Middle East, Palo Alto Networks security researchers say.
Also tracked as APT27, TG-3390, Bronze Union, and Lucky Mouse, the threat group has been active since at least 2010, targeting hundreds of organizations worldwide, including U.S. defense contractors, financial services firms, a European drone maker, and a national data center in Central Asia, among others.
Emissary Panda activity observed in April 2019 involved the installation of webshells on SharePoint servers, likely in an attempt to exploit the recently patched remote code execution vulnerability in SharePoint tracked as CVE-2019-0604.
Following the initial network compromise, the actor would upload a variety of tools to sustain additional activities, including credential dumping and locating and pivoting to additional systems on the network. The group employed tools to identify and exploit systems vulnerable to CVE-2017-0144, the security flaw exploited by EternalBlue.
The identified activity appears related to the CVE-2019-0604 exploitation that security alerts from Saudi Arabian National Cyber Security Center and the Canadian Center for Cyber Security mentioned last month.
As part of the attacks, the actor used webshells to upload legitimate executables they would use for DLL sideloading to run a malicious code that overlaps with known Emissary Panda attacks, Palo Alto Networks reports.
Between April 1 and April 16, the cyber-spies used webshells to upload 24 unique executables on three SharePoint servers hosted by two different government organizations. Several of the same tools were uploaded across the three webshells, suggesting that a single threat group was involved.
Some of the uploaded tools included legitimate applications such as cURL, post-exploitation tools such as Mimikatz, tools to scan for and exploit potential vulnerabilities in the network, and custom backdoors such as HyperBro, which is commonly associated with Emissary Panda.
“Based on the functionality of the various tools uploaded to the webshells, we believe the threat actors breach the SharePoint servers to use as a beachhead, then attempt to move laterally across the network via stolen credentials and exploiting vulnerabilities,” Palo Alto Networks says.
One of the webshells was identified as a variant of the Antak webshell, which is part of a tool created for red teaming called Nishang, while other webshells appear related to the China Chopper webshell. Thus, the researchers are not certain that a single actor has installed all of them (although Emissary Panda and China Chopper are likely related).
The HyperBro backdoor used in these attacks supports commands to manage files, enumerate logical storage volumes, delete files, upload/download files, list the contents of a folder, run an application, execute commands on shell, take screenshots, run shellcode, kill processes, and list and manage services.
The security researchers also discovered that the group used additional sideloaded payloads in this campaign, though they could not retrieve them as of yet.
“The Emissary Panda threat group loaded the China Chopper webshell onto SharePoint servers at two Government organizations in the Middle East, which we believe with high confidence involved exploiting a remote code execution vulnerability in SharePoint tracked in CVE-2019-0604,” Palo Alto Networks concludes.