The Chinese state-backed APT campaign dubbed Twisted Panda has recently been attributed to the cyberattacks against two Russian research institutes and a Belarusian firm. Analysts state that the new attack operations came amid the ongoing conflict between Russia and Ukraine to leverage the situation and launch attacks.
Furthermore, studies about the campaign revealed that its operators trick their targets into opening malware-injected attachments or clicking malicious links through well-thought-out social engineering schemes, including war and sanction related baits.
Other details about the espionage campaign also uncovered that the Chinese operators are associated with other notorious threat groups such as Stone Panda and Mustang Panda, which go by different names in their malicious operations.
Experts also presume that the Twisted Panda campaign is a part of a long-running espionage operation established to fight Russian firms.
This new campaign’s most recent detected activities were only from last month, targeting two Russian defence research institutions and another firm located in Belarus.
The targeted victims are sent phishing emails comprising a link that spoofs Russia’s health ministry to trick the recipients into clicking it. Other enclosures within the phishing emails include a malware-laden Microsoft Word file that could trigger dropping a harmful payload into a device once opened.
Suppose the malicious payload has been successfully executed in the victim’s device. In that case, it will perform a sophisticated tactic called control flow flattening, which obfuscates the malicious activities it completes on the computer. This payload has been dubbed Spinner backdoor, a previously undocumented tool utilised by other groups in attacks, including Stone Panda and Mustang Panda.
The researchers’ investigations also noted the usage of another backdoor variant similar to Spinner, which solidifies their findings of the Twisted Panda campaign being an active espionage operation since June 2021.
What differentiates this other unnamed backdoor from Spinner is that it makes up for the features that the Spinner backdoor does not have, including being able to manipulate files, steal sensitive data, and run OS commands and arbitrary downloaded malicious tools.
Security experts conclude that many sophisticated espionage groups have upgraded their attack tactics over time, thus making them more complex and harder to analyse and detect. Furthermore, they also noted that threat groups have always been evolving to be more persistent and stealthier in cyberattacks.