The Chinese state-sponsored cyberespionage gang Naikon, also known as Override Panda and Lotus Panda, has resurfaced with a new phishing campaign aimed at stealing private data. In 2010, the APT organisation was initially identified, and its infrastructure was discovered in 2015.
Getting into the intricacies
Lotus Panda was discovered to have utilised a spear-phishing email to deploy a Red team framework beacon known as Viper, according to Cluster25. While the exact targets are unclear, analysts believe it is a government institution from a South Asian country.
Chain of death
A malicious document masquerading as a call for tender is included in the spear-phishing email.
Two payloads are concealed as document properties in the document.
Viper is characterised as a “graphical intranet penetration tool that modifies and enhances popular intranet intrusion strategies and approaches.”
It comes with over 80 modules to help you with initial access, privilege escalation, credential access, persistence, arbitrary command execution, and lateral movement.
The Viper framework and ARL dashboards are both hosted on the C2 server.
Chinese hackers have carried out a number of noteworthy strikes
Moshen Dragon, a cyberespionage outfit based in Central Asia, is targeting telecommunications in the region. It tries to sideload malicious DLLs into antivirus systems in order to move about, steal passwords, and exfiltrate sensitive data.
APT10, also known as Cicada, was discovered to be behind a long-running espionage effort against Japanese companies. From mid-2021 until February 2022, the operations proceeded.
The Mustang Panda APT was discovered utilising a new strain of PlugX RAT in March. The trojan, dubbed Hodur, is capable of a variety of tasks, including gathering system information, running commands, and reading and writing arbitrary files.
Conclusion
The TTPs of Override Panda show that it is engaged in long-term espionage and intelligence operations. Foreign officials and countries have been targeted by the organisation in the past. The industries that Naikon has targeted indicate that it intends to infect ASEAN countries. Furthermore, the organisation has updated and evolved its TTPs throughout time in order to avoid discovery and increase revenues.