Site icon Check Point Blog

Chinese Espionage Campaign Expands to Target Africa and The Caribbean

Check Point Research (CPR) sees an ongoing cyber espionage campaign focuses on targeting governmental organizations in Africa and the Caribbean. Attributed to a Chinese threat actor Sharp Dragon (formerly Sharp Panda), the campaign adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities like C2 communication and command execution while minimizing the exposure of their custom tools. This refined approach suggests a deeper understanding of their targets.

Key Findings

Since 2021, Check Point Research has closely monitored the activities of Sharp Dragon, a Chinese threat actor formerly known as Sharp Panda. Their historical tactics primarily involve highly-targeted phishing emails, which have previously resulted in the deployment of malware such of VictoryDLL or the Soul framework.

However, a significant shift has been observed in recent months. Sharp Dragon redirected its focus towards governmental organizations in Africa and the Caribbean, demonstrating a clear expansion of their operations beyond their original scope. These activities are consistent with Sharp Dragon’s established modus operandi, characterized by the compromise of high-profile email accounts to disseminate phishing documents leveraging a remote template weaponized using RoyalRoad. However, unlike previous tactics, these lures now deploy Cobalt Strike Beacon, indicating a strategic adaptation to enhance their infiltration capabilities.

Figure 1 : Sharp Dragon’s shift to target Africa and the Caribbean

Infection Chain

First, the threat actors leverage highly tailored phishing emails, often disguised as legitimate correspondence, to entice victims into opening malicious attachments or clicking on malicious links. These attachments or links execute payloads, which have evolved over time from custom malware like VictoryDLL and the Soul framework to more widely used tools such as Cobalt Strike Beacon. Upon successful execution, the malware establishes a foothold on the victim’s system, allowing the threat actors to conduct reconnaissance and gather information about the target environment. This reconnaissance phase enables Sharp Dragon to identify high-value targets and tailor their attack strategies accordingly.

Figure 2 : Infection Chain Example

This infection chain highlights Sharp Dragon’s sophisticated approach to cyber operations, emphasizing careful planning, reconnaissance, and exploitation of vulnerabilities to achieve their objectives while minimizing detection.

Tactics, Techniques, and Procedures

While the core functionality remains consistent, CPR has identified changes in their Tactics, Techniques, and Procedures (TTPs). Those changes reflect a more careful target selection and operational security (OPSEC) awareness. Some changes include:

Conclusion

Sharp Dragon’s strategic expansion towards Africa and the Caribbean signifies a broader effort by Chinese cyber actors to enhance their presence and influence in these regions. The evolving tactics of Sharp Dragon underscore the dynamic nature of cyber threats, especially towards regions that have been historically overlooked.

These findings emphasize the importance of vigilant cybersecurity measures, with products like Check Point Harmony Endpoint providing comprehensive protection against emerging threats.

Exit mobile version