May 24, 2022

Twisted Panda Campaign Targets Russian Defense Institutions

Industry: N/A | Level: Tactical | Source: CheckPoint

An espionage campaign attributed to Chinese APT groups, APT10 (aka. Stone Panda) and Mustang Panda has been investigated by CheckPoint to be targeting Russian defense entities since June 2021 with recent activity observed in April 2022. The campaign is named, Twisted Panda given the attributed threat actors involved. The targeted Russian entities are those part of the state’s owned defense conglomerate, Rostec Corporation specializing in radio-electronics along with research, design, and manufacturing of warfare systems. Phishing emails containing malicious documents are distributed for the campaign, using themes that are related to events associated with the Russia and Ukraine conflict. The malicious document from the email contains an external template (.DOTM file) and with macro code downloads two DLL files and an INIT file. The dropped DLL files run shellcode from the INIT file to set persistence with a scheduled task. The infection leads to the SPINNER backdoor, created from a remote thread in MSIEXEC. The backdoor has capabilities to collect system information, exfiltrate files, download additional payloads and run OS commands.

Anvilogic Scenario:

  • Twisted Panda Campaign & SPINNER Backdoor

Anvilogic Use Cases:

  • Malicious Document Execution
  • Suspicious File written to Disk
  • Create/Modify Schtasks
  • Msiexec Abuse
  • Rare Remote Thread
  • New AutoRun Registry Key
  • Common Reconnaissance Commands