A China-linked advanced persistent threat (APT) group known as Warp Panda, or TA428, conducted an espionage campaign targeting organizations in North America. The campaign was identified by researchers at Proofpoint, who attributed the activity to the state-sponsored actor known for intelligence-gathering operations.

Attack Methodology and Malware Deployment

The primary vector for initial access in this campaign was spear-phishing emails. These emails carried malicious attachments disguised as documents related to sanctions and import/export activities involving the US, China, and Russia. Attackers used lures with titles such as “US Treasury Imposes Sanctions on Russian State-Owned Diamond Miner” to entice targets.

Once opened, the attachment’s installer deployed three files: a legitimate executable, a malicious DLL, and an encrypted payload. The campaign utilized a technique known as DLL side-loading, where the legitimate executable was used to load the malicious DLL. This DLL would then decrypt and execute the final payload, a backdoor named ScreenCap. The ScreenCap backdoor is capable of capturing screenshots, executing files and commands, listing files, and exfiltrating data. It encrypts its command-and-control (C2) communications using AES-256.

Attribution and Campaign Objectives

Proofpoint attributed the campaign to Warp Panda (TA428) with high confidence. This attribution is based on observed overlaps with previous campaigns conducted by the group, including the use of shared C2 infrastructure, tools, and victimology. Warp Panda’s operations are recognized as being aligned with the strategic interests of the Chinese state, focusing primarily on espionage and intelligence collection. The group has a history of targeting government, defense, and technology sectors.

Source: https://www.infosecurity-magazine.com/news/chinalinked-warp-panda/