In this case of the Twisted Panda campaign, "the actual running process is valid and signed by Microsoft," according to the analysis.Īccording to the security researchers, the loader contains two shellcodes. The researchers cited PlugX malware, used by Mustang Panda, and a more recent APT10 global espionage campaign that used the VLC player for side-loading. China APT group using Russia invasion, COVID-19 in phishing attacksĭownloading the malicious document drops a sophisticated loader that not only hides its functionality, but also avoids detection of suspicious API calls by dynamically resolving them with name hashing.īy using DLL sideloading, which Check Point noted is "a favorite evasion technique used by multiple Chinese actors," the malware evades anit-virus tools.China turns cyber-espionage eyes to Russia as Ukraine invasion grinds on.Export bans prompt Russia to use Chinese x86 CPU replacement.Iran, China-linked gangs join Putin's disinformation war online.All of them had the same subject: "List of persons under US sanctions for invading Ukraine", a malicious document attached, and contained a link to an attacker-controlled site designed to look like the Health Ministry of Russia.Īn email went out to an organization in Minsk, Belarus, on the same day with the subject: "US Spread of Deadly Pathogens in Belarus".Īdditionally, all of the attached documents looked like official Russian Ministry of Health documents with the official emblem and title. The new campaign started on March 23 with phishing emails sent to defense research institutes in Russia. And based on this, the researchers say they expect Twisted Panda has been active since June 2021. During the the course of the research, the security shop also uncovered a similar loader that contained that looked like an easier variant of the same backdoor.
0 kommentar(er)
