Home Financial consultant China-Linked Twisted Panda Caught Spying on Russian R&D Organizations

China-Linked Twisted Panda Caught Spying on Russian R&D Organizations


Chinese cyber spies have targeted two Russian defense institutes and possibly another research center in Belarus, according to Check Point Research.

The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored spying operation that has been going on for several months or even nearly a year, according to the security outlet.

In a technique analysisthe researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the public defense conglomerate Rostec Corporation.

Check Point Research also noted that around the same time they observed the Twisted Panda attacks, another Chinese Advanced Persistent Threat (APT) group Mustang Panda was observed exploiting the invasion. Ukraine to target Russian organizations.

In fact, Twisted Panda may have ties to Mustang Panda or another Beijing-backed spy ring called Stone Panda, aka APT10, according to security researchers.

In addition to the timing of the attacks, other tools and techniques used in the new campaign overlap with China-based APT groups, they wrote. For this reason, the researchers attributed the new cyber espionage operation “with high confidence to a Chinese threat actor”.

During the search, the Security Workshop also discovered a similar loader that contained what looked like a simpler variant of the same backdoor. And based on that, researchers say they expect Twisted Panda to be active since June 2021.

Phishing for Defense R&D

The new campaign began on March 23 with phishing emails sent to defense research institutes in Russia. All had the same subject: “List of [target institute name] persons under US sanctions for invading Ukraine”, a malicious document attached, and contained a link to a site controlled by the attacker designed to look like Russia’s Health Ministry.

An email was sent to an organization in Minsk, Belarus on the same day with the subject: “US spread of deadly pathogens in Belarus”.

Moreover, all attached documents looked like official documents of the Russian Ministry of Health with the official emblem and title.

Downloading the malicious document drops a sophisticated loader that not only hides its functionality, but also avoids detection of suspicious API calls by resolving them dynamically with the name hash.

By using DLL sideloading, which Check Point says is “a favorite evasion technique used by several Chinese players”, the malware evades anti-virus tools. The researchers cited the PlugX malware, used by Mustang Panda, and a newer APT10 global spy campaign that used VLC player for sideloading.

In this case of the Twisted Panda campaign, “the actual execution process is valid and signed by Microsoft,” according to the analysis.

According to security researchers, the loader contains two shellcodes. The first runs the persistence and cleanup script. And the second is a multi-layer charger. “The goal is to consecutively decrypt the other three fileless loader layers and eventually load the main payload into memory,” Check Point Research explained.

New Spinner backdoor detected

The main payload is a previously undocumented Spinner backdoor, which uses two types of obfuscations. And while the backdoor is new, the researchers noted that the obfuscation methods have been used together in earlier samples attributed to stone panda and panda mustang. These are control flow flattening, which makes the code flow non-linear, and opaque predicates, which ultimately cause the binary to perform unnecessary calculations.

“Both methods make it difficult to scan the payload, but together they make scanning tedious, time-consuming and tedious,” the security magazine said.

The primary purpose of the Spinner backdoor is to execute additional payloads sent from a command and control server, although the researchers claim that they did not intercept any of these other payloads. However, “we believe that selected victims likely received the full backdoor with additional abilities,” they noted.

Linked to the Chinese five-year plan?

Victims – research institutes that focus on the development of electronic warfare systems, specialized on-board radio-electronic equipment in the military, avionics systems for civil aviation, and medical equipment and control systems for energy, transport and engineering industries – also link the Twisted Panda campaign to China’s Five-Year Plan, which aims to develop the country’s scientific and technical capabilities.

And, as the FBI warned [PDF]the Chinese government does not hesitate to use cyber espionage and IP theft to achieve these goals.

As Check Point Research concluded: “With previous reports of Chinese APT groups carrying out their espionage operations against Russia defense and governmental industry, the Twisted Panda campaign described in this research could serve as further evidence of the use of espionage in a systematic, long-term effort to achieve Chinese strategic goals of technological superiority and military might.” ®