A state-sponsored espionage group from China, Override Panda, has been observed to be active against ASEAN countries. The group is stealing sensitive information from victims via phishing attacks.
What has happened?
The group is suspected to be conducting long-term intelligence and espionage attacks on foreign governments and officials.
- A report from Cluster25 disclosed that Override Panda used a spear-phishing email to deliver a beacon of Viper and ARL dashboards.
- The target of the recent attack is unknown. However. However, on the basis of the previous attack history of the group, it might be targeting a government entity based in a South Asian country.
- The recent attack chains involve the use of decoy documents attached to spear-phishing emails created to prompt the targeted victims to open and infect themselves with malware.
About Viper
The recent campaign uses a weaponized Office document to start the infection kill chain that has a loader created to execute a shellcode, which is used to inject a beacon for the Viper red team tool. - Viper is a graphical intranet penetration tool available for download from GitHub. It modularizes and weaponizes the methods and technologies employed in the process of intranet penetration.
- Viper is similar to Cobalt Strike, featuring over 80 modules to allow privilege escalation, initial access, persistence, lateral movement, arbitrary command execution, and credential access.
Conclusion
Override Panda group is active again with the goal of gathering intelligence and carrying out espionage operations. Thus, organizations are suggested to focus on protecting their sensitive information. Such protection includes encryption, proper access control, and the use of reliable anti-malware.