|
| Sharp Panda Panda Panda Dragon |
| |
| |
| |
| |
| |
| VictoryDLL
SoulSearcher
Cobalt Strike Beacon
RoyalRoad
5.t Downloader (DLL and EXE formats)
GoAnywhere Exploit (CVE-2023-0669)
Custom C2 Servers |
Overview
Sharp Dragon, previously recognized as Sharp Panda, represents a sophisticated and evolving Chinese threat actor that has been actively engaged in cyber espionage since its emergence in 2021. Initially focusing on Southeast Asia, Sharp Dragon has become notable for its methodical and highly-targeted cyber operations, targeting governmental and high-profile organizations with precision and adaptability. This group’s operations are marked by an impressive ability to exploit vulnerabilities and pivot its tactics, showcasing a blend of advanced malware deployment and strategic phishing campaigns.
From its inception,
Sharp Dragon has demonstrated a deep understanding of its targets and a refined approach to cyber operations. The group’s early campaigns primarily involved the use of custom tools and frameworks like VictoryDLL and the SoulSearcher framework. These tools were specifically designed to facilitate remote access and data collection, enabling Sharp Dragon to maintain a persistent presence within targeted networks. Over time, the group has evolved its toolkit, incorporating widely-used tools such as Cobalt Strike Beacon to avoid detection and mitigate the risk of exposure.
In recent months, Sharp Dragon has expanded its focus beyond its initial Southeast Asian targets to include governmental entities in Africa and the Caribbean. This strategic shift highlights the group’s growing ambition and the broader geopolitical implications of their activities. By leveraging previously compromised infrastructure and employing sophisticated phishing techniques, Sharp Dragon has successfully established footholds in these new regions. Their choice of targets and lures—often tailored to exploit regional political and economic relations—demonstrates an adaptive and opportunistic approach to cyber espionage.
Common targets
Governmental Organizations
Diplomatic Entities
Infrastructure
High-Profile Organizations
Attack vectors
Phishing Emails
Malicious Documents
Compromised Infrastructure
Remote Template Exploitation
Exploited Vulnerabilities
How they operate
At the heart of Sharp Dragon’s tactics is their use of phishing emails. These emails are meticulously crafted to appear as legitimate communications, often involving high-profile or sensitive topics relevant to the target’s interests. The phishing campaigns are usually accompanied by malicious attachments or links, designed to exploit vulnerabilities in the victim’s system. Once a recipient interacts with the phishing content, the group deploys various malware payloads, including custom tools and popular frameworks like Cobalt Strike Beacon, to establish a foothold within the compromised network.
Sharp Dragon is also known for its use of compromised infrastructure. Instead of relying solely on their own servers, the group frequently exploits existing, legitimate servers to facilitate their operations. This approach not only helps in evading detection but also provides them with a more robust and covert method of command and control (C2). They have been observed using compromised servers to both execute malicious commands and exfiltrate stolen data.
In recent operations, Sharp Dragon has shown a notable shift in their targeting strategy, expanding their focus to regions beyond their historical bases. They have increasingly targeted governmental organizations in Africa and the Caribbean, leveraging previous compromises in South-East Asia to facilitate these new attacks. This expansion reflects a broader strategic effort to enhance their influence and gather intelligence from new geographical regions.
MITRE Tactics and Techniques
Initial Access – T1078
Execution – T1059
Persistence – T1053
Privilege Escalation – T1068
Defense Evasion – T1027
Credential Access – T1003
Discovery – T1046
Lateral Movement – T1076
Collection – T1213
Command and Control – T1071
Exfiltration – T1041
Impact – T1486
References:
