Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as Goblin Panda as part of its role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.
Active since 2014, Goblin Panda is a threat actor that is focused on interests in Southeast Asia. Goblin Panda has been documented by various organizations, including Fortinet, over the past several years. Due to non-standardized naming conventions within the industry, Goblin Panda is also known as APT 27, Hellsing, Cycledek, and perhaps 1937CN. Goblin Panda is primarily active in South and Southeast Asia, with activity seen primarily in Cambodia, Indonesia, Philippines, Myanmar, Malaysia, Thailand, and Vietnam. India has also been targeted in the past, albeit in limited numbers.
Not much has been documented on this group for various reasons. This is primarily due the fact that its tactics, techniques, and procedures have evolved over the years, and also because rather than engaging in the sort of broad-brush attacks most cybercriminal gangs engage in, their targets and campaigns have been quite specific in nature. We hope that the information contained within our playbook is informative for responders who encounter one of their attacks, or for anyone interested in Goblin Panda.
Favorite methodologies of Goblin Panda include the use of remote access Trojans, including the infamous PlugX/Korplug, NewCore, and Sisfader RAT tools. Distribution of infected samples are often used by attackers such as Goblin Panda through weaponized Microsoft Office documents containing malicious macros, or by exploiting known vulnerabilities—most recently CVE-2012-0158 and CVE-2017-11882. Even though CVE-2012-0158 is over five years old, attackers are quite aware that many organizations, especially up and coming organizations in developing areas of the world, do not follow a regular patching schedule for various reasons, such as lack of resources or awareness, and therefore remain vulnerable to know exploits for long periods of time.
Observed instances of Goblin Panda activity have generally started with a spearphishing attacks via a maliciously crafted Microsoft Office document. When the document is opened by the victim, various files are dropped into different locations of the victim’s PC. Dropped files include legitimate software vendor files, an encrypted binary blog containing the payload, and DLL files containing the decryptor and loader for the payload.
During the installation of the malware, a DLL hijacking technique to evade traditional antivirus detections is used whereby a variety of legitimate DLL files from different vendors are hijacked using a Trojanized version of a malicious DLL file. Once the malicious DLL file is side loaded, it then downloads the Trojan downloader, which in turn sets a run key in the registry for persistence. Typically, a legitimate program requires libraries to properly execute. DLL sideloading/hijacking attacks makes the legitimate program think it is loading the correct DLL, when in reality it is loading the malicious DLL instead. Finally, it also checks to determine if it is running in a VM environment.
Once it is finished with those tasks, it then sends various parameters to a C2 server, including:
· OS version
· Processor speed
· Number of processors
· Physical memory size
· Computer name
· User name
· User privilege
· Computer IP address
· Volume serial number
When all of those parameters are deemed ok, it then downloads a payload. In most recent cases, that payload has been the NewCore RAT (Korplug/Plugx and Sisfader were seen in prior campaigns). The NewCore RAT is a malicious DLL file. However, executing the DLL without using the downloader will not work as the C&C server string is not embedded within the DLL file. Based on the strings found in its body, this malware may have been derived from the PcClient and PcCortr backdoors whose source codes are publicly available, especially on Chinese language coding forums.
NewCore RAT has the following attributes:
· Copy files
· Delete files
· Execute files
· Search files
· Download files
· Upload files
· Retrieve disk list
· Retrieve directory list
· Retrieve file information
· Retrieve disk information
· Rename files
· Screen monitoring
· Start command shell
We have also encountered several new NewCore RAT samples that may have been used by the Goblin Panda threat actors. However, due to time constraints we were unable to analyze them further to see if there is an absolute connection to the threat actor group. The following IOCs have been provided for information purposes. Please see the Indictors of Compromise section below for further details, along with our playbook viewer, which contains the tactics and techniques defined by the Mitre ATT&CK knowledge base.
For a detailed technical overview, read our previous blog: Rehashed RAT Used in APT Campaign Against Vietnamese Organizations
Indicators of Compromise
All samples (IOCs) have been provided in good faith. These samples had not been analyzed at the time of publication due to time restrictions. As a result, there are no guarantees made about the samples below with respect to Goblin Panda or any attributions to any threat actor.
Read and learn more about the Cyber Threat Alliance (CTA).
Sign up for our weekly FortiGuard Threat Brief.
Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.