The Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that’s designed to meet its intelligence-gathering goals.
Israeli cybersecurity firm Check Point, which dubbed the Go-based malware TinyNote, said it functions as a first-stage payload capable of “basic machine enumeration and command execution via PowerShell or Goroutines.”
What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers.
Camaro Dragon overlaps with a threat actor widely tracked as Mustang Panda, a state-sponsored group from China that is known to be active since at least 2012.
The threat actor was recently in the spotlight for a custom bespoke firmware implant called Horse Shell that co-opts TP-Link routers into a mesh network capable of transmitting commands to and from the command-and-control (C2) servers.
In other words, the goal is to obscure the malicious activity by using compromised home routers as intermediate infrastructure that allows communications with infected computers to emanate from a different node.
The latest findings demonstrate the evolution and growth in sophistication of both attackers’ evasion tactics and targeting, not to mention the mixture of custom tools used to breach the defenses of different targets.
The TinyNote backdoor is distributed using names related to foreign affairs (e.g., “PDF_ Contacts List Of Invitated Deplomatic Members”), and likely targets Southeast and East Asian embassies. It’s also the first known Mustang Panda artifact written in Golang.
A noteworthy aspect of the malware is its ability to specifically bypass an Indonesian antivirus solution called Smadav, underscoring its high level of preparation and deep knowledge of the victims’ environments.
“The TinyNote backdoor highlights the targeted approach of Camaro Dragon and the extensive research they conduct prior to infiltrating their intended victims’ systems,” Check Point said.
“The simultaneous use of this backdoor together with other tools with different levels of technical advancement implies that the threat actors are actively seeking to diversify their attack arsenal.”
The disclosure comes as ThreatMon uncovered APT41’s (aka Wicked Panda) use of living-off-the-land (LotL) techniques to launch a PowerShell backdoor by leveraging a legitimate Windows executable called forfiles.
That’s not all. High-level government officials from G20 nations have emerged as a target of a new phishing campaign orchestrated by another Chinese threat actor referred to as Sharp Panda, per Cyble.
The emails contain booby-trapped versions of purported official documents, which employ the remote template injection method to retrieve the next-stage downloader from the C2 server using the Royal Road Rich Text Format (RTF) weaponizer.
It’s worth pointing out that the aforementioned infection chain is consistent with previous Sharp Panda activity, as recently evidenced by Check Point in attacks aimed at government entities in Southeast Asia.
What’s more, the People’s Liberation Army (PLA) of China has been found leveraging open-source information available from the internet and other sources for military intelligence purposes to gain a strategic advantage over the West.
“The PLA’s use of OSINT very likely provides it an intelligence advantage, as the West’s open information environment allows the PLA to easily harvest large quantities of open-source data, whereas Western militaries must contend with China’s closed information environment,” Recorded Future noted.
The analysis draws from a list of 50 PLA and Chinese defense industry procurement records that were published between January 2019 and January 2023.
“Commercial data providers should also be aware that China’s military and defense industry could be purchasing their data for intelligence purposes, and should consider carrying out due diligence when selling their data to entities in China,” the company said.