In this August edition of Threat Thursday, we talk about Sharp Dragon, a Chinese Advanced Persistent Threat (APT) group employing a novel tactic known as "app domain abuse" to conduct cyber campaigns across regions including Africa, Southeast Asia, and the Caribbean.
In this episode of Threat Thursday, the focus was on Sharp Dragon, a Chinese Advanced Persistent Threat (APT) group employing a novel tactic known as "app domain abuse" to conduct cyber campaigns across regions including Africa, Southeast Asia, and the Caribbean. This method involves the "side-loading" of a malicious Dynamic Link Library (DLL) into a legitimate Microsoft executable by utilizing a configuration (.config) file. By copying the executable to a specific Windows apps directory, attackers can instruct the executable to load the malicious DLL, taking advantage of the trust associated with digitally signed Microsoft software. This technique allows Sharp Dragon to mask its malicious activities, making them appear legitimate and increasing the likelihood of successful infiltration.
The analysis dives deeper into Sharp Dragon's operational strategies, highlighting the use of the "Net G GAC helper.dll" for system enumeration and communication with command-and-control (C2) servers. By leveraging native Windows API calls, the group cleverly avoids creating child processes that could raise alarms during detection. The only discernible activity observed in system logs is the execution of the "Microsoft uev sync controller" executable, which resides in legitimate directories, thus camouflaging malicious operations. Furthermore, the group's sophisticated phishing campaigns target governmental entities, utilizing organizational trust to deploy their attacks. These tactics echo previous methodologies employed by Sharp Dragon, emphasizing the persistent and evolving nature of their threat landscape.
The discussion concludes by stressing the importance of proactive monitoring and detection techniques. Watch the full Threat Thursday below!
Register today! 🦄