Unveiling Sharp Panda’s New Loader

Taking your threat intelligence seriously

Unveiling Sharp Panda’s New Loader

Checkpoint recently published a report on Sharp Panda, mentioning an extension of its victimology as well as the utilization of a new dropper to deploy the 5.t framework. To avoid confusion with other vendors naming, Checkpoint decided to rename Sharp Panda to Sharp Dragon.

Associated in open sources to China, this intrusion set is mostly known for targeting Southeast Asia countries. In the past, Sharp Panda has heavily relied on RoyalRoad, a RTF weaponizer used by several Chinese linked threat actors.

Since I worked on this intrusion set a few month ago, I decided to have a look to Sharp Panda’s new dropper (Sha1: 6a37c533b9ff57bb50157d243ba6b373fc13392a). As always, constructive criticism is very welcome.

Static analysis

As shown by Detect It Easy (DIE), this malware is a 64-bit executable allegedly compiled on march 2024.

Caption: DIE’s analysis results of Sharp Panda’s new dropper

To lure its targets into executing it, the malicious file mimics a Microsoft Word document.

Caption: Properties of the malicious file. The file displays a Word icon.

Static analysis reveals that the executable is importing a large number of functions. However, the malware also seems to use API and string hashing, as well as stack strings (or tight strings to be more precise) to hide some of its content.

The fastest way to do it would be to use the tool named FLOSS (FLARE Obfuscated String Solver). FLOSS indeed reveals several strings that were not visible previously.

Caption: Strings revealed using Floss

By using carefully placed breakpoints in the decrypting routine (at offset 0x14000433C), it is also possible to find these strings manually (note, however, that they are not all decrypted at the same time).

Caption: Decrypted strings in a debugger.

Anyway, to have a more precise idea of how this malware’s internals are working, I decided to debug it using x64dbg.

Dynamic analysis

As noted by Checkpoint, this malware can indeed act as a loader. In the present case, it first attempts to load into memory, using the LoadLibraryExW function, malicious DLLs that could already be present on disk, such as 1.dll or 01_XXENU.dll.

Caption: The malware tries to load several DLLLs using LoadLibraryExW

Since the malware was deployed in the recent campaign documented by Checkpoint using a .RAR archive, it is possible that the attackers contemplated the possibility of including one of these malicious DLLs directly in the archive.

Since the malware was not able to load any existing malicious DLL, it then proceeds to decrypt the path of a malicious DLL to deploy as the next stage.

Caption: Decrypting the path and the name of the malicious DLL to be dropped.

It then proceeds to write a malicious file to disk using the CreateFileW function. The first argument passed to the function corresponds to the name (WindowsUpdate.ini) and the path of the file to be created, both of which were previously decrypted.

Caption: Dropping on disk the next stage payload

While it uses the .ini extension, this file is actually a DLL, as shown on the following PE studio screenshot.

Caption: The third stage payload is a malicious DLL

To avoid raising suspicion, a .docx lure file, named 01_XXX.docx, is also written in the C:\\Users\USER_NAME\AppData\Local\Temp\ folder. This file will be used to convince the target that he or she has actually opened a Word document.

Caption: Creating a lure document on disk

Using the decryption routine previously mentioned, the malware then decrypts the names of two word processing software that could be used to open the lure document. After that, it proceeds to enumerate directories in order to find one of these tools.

Caption: Decrypting word processing tool names and searching for them on disk

In the present case, the final lure document, which is probably a legitimate document available from open sources, looks like this:

Caption: Lure document used by Sharp Panda

These results, namely the creation of a .docx lure document and the deployment of a malicious DLL disguised as an .ini file, are consistent with what I found when executing the malware in my lab :

Caption: Using process monitor and Procdoc, it is possible to see that the malware drops two files: a docx document and a.ini file which is actually a DLL.

For persistence purposes and to launch the dropped malicious DLL, the malware leverages Microsoft Windows API CoInitializeEx, CoInitializeSecurity and CoCreateInstance to create a scheduled task.

Caption: The malware creates a scheduled task to run the next stage payload

It is possible to find this scheduled task in Windows Task Scheduler. As suggested by the name of the DLL, this scheduled task mimics a legitimate Windows update to fly under the radar.

Caption: Scheduled task set up by the dropper

The malware then decrypts and calls TerminateProcess in order to exit.

Caption: Call to TerminateProcess

More than a loader?

What struck me the most with this malware is the fact that large portions of code are not called in the present case. Moreover, several APIs used suggest that this malware may have keylogging features. For example, the imports of this malware include several hook APIs. A keylogger might use such APIs to intercept and capture keystrokes before they reach the intended application.

Caption: Hook API imported by the malware

To get a precise idea of how an API can be used by a malware, it is possible to refer to the great work of malapi.io.

Caption: Other API functions typically used by keyloggers

By using these functions, a keylogger could effectively monitor and log keyboard activities,

Things are even clearer when looking at some functions. Here is a function that checks if the user is copying, pasting, or cutting data.

Caption: Decompiled function used to monitor copy, paste, and cut operations.

I am not sure if the large portions of code that look like a keylogger are actual features that are not used or just junk code used to waste analysts’ time. This would be strange since the functions used scream for a keylogger and therefore clearly show the malicious nature of this executable.

Conclusion

The present campaign represents a departure from traditional Sharp Panda exploitation of Equation Editor vulnerabilities of Microsoft Word to deploy additional payload. Concerning Sharp Panda’s new dropper used in this campaign, several questions remain, such as the real features of this piece of code as well as its utilisation by other Chinese-linked intrusion sets. In any case, it was fun to look at this loader / dropper.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *