Chinese cyberspies targeted two Russian defense institutes and possibly another research facility in Belarus, according to Check Point Research.

The new campaign, dubbed Twisted Panda, is part of a larger, state-sponsored espionage operation that has been ongoing for several months, if not nearly a year, according to the security shop.

In a technical analysis, the researchers detail the various malicious stages and payloads of the campaign that used sanctions-related phishing emails to attack Russian entities, which are part of the state-owned defense conglomerate Rostec Corporation.

Check Point Research also noted that around the same time that they observed the Twisted Panda attacks, another Chinese advanced persistent threat (APT) group Mustang Panda was observed exploiting the invasion of Ukraine to target Russian organizations.

In fact, Twisted Panda may have connections to Mustang Panda or another Beijing-backed spy ring called Stone Panda, aka APT10, according to the security researchers.

In addition to the timing of the attacks, other tools and techniques used in the new campaign overlap with China-based APT groups, they wrote. Because of this, the researchers attributed the new cyberspying operation “with high confidence to a Chinese threat actor.”

During the the course of the research, the security shop also uncovered a similar loader that contained that looked like an easier variant of the same backdoor. And based on this, the researchers say they expect Twisted Panda has been active since June 2021.

Phishing for defense R&D

The new campaign started on March 23 with phishing emails sent to defense research institutes in Russia. All of them had the same subject: “List of [target institute name] persons under US sanctions for invading Ukraine”, a malicious document attached, and contained a link to an attacker-controlled site designed to look like the Health Ministry of Russia.

An email went out to an organization in Minsk, Belarus, on the same day with the subject: “US Spread of Deadly Pathogens in Belarus”. 

Additionally, all of the attached documents looked like official Russian Ministry of Health documents with the official emblem and title.

Downloading the malicious document drops a sophisticated loader that not only hides its functionality, but also avoids detection of suspicious API calls by dynamically resolving them with name hashing. 

By using DLL sideloading, which Check Point noted is “a favorite evasion technique used by multiple Chinese actors,” the malware evades anit-virus tools. The researchers cited PlugX malware, used by Mustang Panda, and a more recent APT10 global espionage campaign that used the VLC player for side-loading.

In this case of the Twisted Panda campaign, “the actual running process is valid and signed by Microsoft,” according to the analysis.

According to the security researchers, the loader contains two shellcodes. The first one runs the persistence and cleanup script. And the second is a multi-layer loader. “The goal is to consecutively decrypt the other three fileless loader layers and eventually load the main payload in memory,” Check Point Research explained.

New Spinner backdoor detected

The main payload is a previously undocumented Spinner backdoor, which uses two types of obfuscations. And while the backdoor is new, the researchers noted that the obfuscation methods have been used together in earlier samples attributed to Stone Panda and Mustang Panda. These are control-flow flattening, which makes the code clow non-linear, and opaque predicates, which ultimately causes the binary to perform needless calculations. 

“Both methods make it difficult to analyze the payload, but together, they make the analysis painful, time-consuming, and tedious,” the security shop said.

The Spinner backdoor’s main purpose is to run additional payloads sent from a command-and-control server, although the researchers say they didn’t intercept any of these other payloads. However, “we believe that selected victims likely received the full backdoor with additional capabilities,” they noted.

Tied to China’s five-year plan?

The victims — research institutes that focus on developing electronic warfare systems, military-specialized onboard radio-electronic equipment, avionics systems for civil aviation, and medical equipment and control systems for energy, transportation, and engineering industries — also tie the Twisted Panda campaign to China’s five-year plan, which aims to expand the country’s scientific and technical capabilities. 

And, as the FBI has warned [PDF], the Chinese government isn’t above using cyberespionage and IP theft to accomplish these goals.

As Check Point Research concluded: “Together with the previous reports of Chinese APT groups conducting their espionage operations against the Russian defense and governmental sector, the Twisted Panda campaign described in this research might serve as more evidence of the use of espionage in a systematic and long-term effort to achieve Chinese strategic objectives in technological superiority and military power.” ®