In their latest shift to target government organizations, Sharp Dragon’s tactics, techniques, and procedures have also evolved, including the following:

  • Wider reconnaissance: More-thorough reconnaissance on target systems now includes examining process lists and enumerating folders, leading to a more discerning selection of potential victims.
  • Use of the Cobalt Strike payload: Transitioning from VictoryDll and the SoulSearcher framework to Cobalt Strike Beacon provides backdoor functionalities while minimizing exposure of custom tools, suggesting a refined approach to target assessment and minimizing exposure.
  • Use of EXE loaders: Some latest samples of code have incorporated EXE-based loaders instead of the typical DLL-based ones. Additionally, Sharp Dragon has introduced a new executable, shifting from the previous Word document-based infection chain to executables disguised as documents, closely resembling the prior method while enhancing persistence through scheduled tasks.
  • Use of compromised infrastructure: The group has shifted from dedicated servers to using compromised servers as Command and Control servers, specifically using the CVE-2023-0669 vulnerability, which is a flaw in the GoAnywhere platform allowing for pre-authentication command injection.