An alleged Chinese APT group dubbed Panda Emissary (also known as TG-3390) is targeting high-profile governments and organisations searching for defense aerospace projects.
Researchers at Dell discovered that the Panda Emissary group used Watering hole attacks as the attack vector, the APT group it likes to compromise websites popular with a target organisation’s personnel.
“The group extensively uses long-running [watering holes], and relies on whitelists to deliver payloads to select victims,” Dell’s counter-threat unit wrote in a report.”
The group exploits old vulnerabilities which aren’t yet patched by victims, researchers at Dell observed that the group mainly exploited Java flaws, including CVE-2011-3544 and CVE-2010-0738.
According to the experts, the Panda Emissary group has already compromised more than 100 websites. It is interesting to note that watering holes used by the hackers include a whitelist to run surgical attacks by ensuring that only staff from a target organisation are infected remaining under the radar for a long time.
Another peculiarity of the Panda Emissary group is the use of custom Microsoft Exchange backdoors and credential logger. The Panda Emissary used custom tools OwaAuth web shell and ASPXTool, and also popular criminal hacking tools PlugX RAT, HttpBrowser, and China Chopper.
“After the initial compromise, TG-3390 delivers the HttpBrowser backdoor to its victims. The threat actors then move quickly to compromise Microsoft Exchange servers and to gain complete control of the target environment.” “The threat actors are adept at identifying key data stores and selectively exfiltrating all of the high-value information associated with their goal.”
“The group extensively uses long-running strategic web compromises (SWCs), and relies on whitelists to deliver payloads to select victims. In comparison to other threat groups, TG-3390 is notable for its tendency to compromise Microsoft Exchange servers using a custom backdoor and credential logger.”
The Panda Emissary group targeted large manufacturing companies supplying defense organizations, energy firms, embassies in Washington, DC representing countries in the Middle East, Europe, and Asia, NGOs particularly focused on international relations and defense and of course government organizations.
“CTU researchers have discovered numerous details about TG-3390 operations, including how the adversaries explore a network, move laterally, and exfiltrate data. As shown in Figure 11, after compromising an initial victim’s system (patient 0), the threat actors use the Baidu search engine to search for the victim’s organization name. They then identify the Exchange server and attempt to install the OwaAuth web shell. If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells. Within six hours of entering the environment, the threat actors compromised multiple systems and stole credentials for the entire domain.”
The hackers belonging to the Panda Emissary group only syphon data related to specific U.S. defense projects, the report doesn’t s provide further information on the motivation behind the attacks. It is not clear if the hacking crew is state-sponsored team or a hacking-for-hire group.
“CTU researchers have observed the threat group obtaining information about specific U.S. defense projects that would be desirable to those operating within a country with a manufacturing base, an interest in U.S. military capability, or both,” states Dell. “The adversary’s end goal is to exfiltrate, not infiltrate. After gaining access to a target network in one intrusion analysed by CTU researchers, TG-3390 actors identified and exfiltrated data for specific projects run by the target organisation.”
It also has access to a criminal development team focused on building hacking tools and is proficient at hiding malware and does not bother with reconnaissance, instead of waiting to gain a foothold in target organisations.
Researchers from Dell speculate on the Chinese origin of the hacking team, they observed local working hours and the use of native language tools, but they cannot exclude that this information could be the result of a false-flag operation.
Enjoy the report.
(Security Affairs – Panda Emissary, cyber espionage)