The advanced persistent threat groupSharp Dragon has widened its sights while broadening its arsenal to target government installations evasively

Since 2021, Check Point Research (CPR) has been closely monitoring the activities of Sharp Dragon, a China-linked threat actor formerly known as Sharp Panda.

Historically, their tactics primarily involved highly-targeted phishing emails to deploy malware such as VictoryDLL or the SoulSearcher framework. However, in recent months, they state-sponsored actors have shifted to targeting governmental organizations in Africa and the Caribbean.

These activities are consistent with Sharp Dragon’s established modus operandi characterized by the compromise of high-profile email accounts to disseminate phishing documents leveraging a remote template weaponized using RoyalRoad. However, unlike previous tactics, these lures now deploy Cobalt Strike Beacon, indicating a strategic adaptation to enhance their infiltration capabilities.

Infection chain 

The threat actors leverage highly tailored phishing emails often disguised as legitimate correspondence, to entice victims into opening malicious attachments or clicking on malicious links. These attachments or links execute payloads, which, upon successful execution, establishes a foothold on the target system, allowing the threat actors to conduct reconnaissance and gather information about the target environment. This reconnaissance phase enables Sharp Dragon to identify high-value targets and tailor their attack strategies accordingly. 

This infection chain highlights Sharp Dragon‘s sophisticated approach to cyber operations, emphasizing careful planning, reconnaissance, and exploitation of vulnerabilities to achieve their objectives while minimizing detection.

In their latest shift to target government organizations, Sharp Dragon’s tactics, techniques, and procedures have also evolved, including the following:

  • Wider reconnaissance: More-thorough reconnaissance on target systems now includes examining process lists and enumerating folders, leading to a more discerning selection of potential victims.
  • Use of the Cobalt Strike payload: Transitioning from VictoryDll and the SoulSearcher framework to Cobalt Strike Beacon provides backdoor functionalities while minimizing exposure of custom tools, suggesting a refined approach to target assessment and minimizing exposure.
  • Use of EXE loaders: Some latest samples of code have incorporated EXE-based loaders instead of the typical DLL-based ones. Additionally, Sharp Dragon has introduced a new executable, shifting from the previous Word document-based infection chain to executables disguised as documents, closely resembling the prior method while enhancing persistence through scheduled tasks.
  • Use of compromised infrastructure: The group has shifted from dedicated servers to using compromised servers as Command and Control servers, specifically using the CVE-2023-0669 vulnerability, which is a flaw in the GoAnywhere platform allowing for pre-authentication command injection.

Sharp Dragon’s strategic expansion towards sensitive installations in Africa and the Caribbean could be a broader effort by Chinese state sponsored threat actors to enhance their presence and influence in these regions.