Check Point Research has been monitoring Sharp Dragon, a Chinese cyber threat group, since 2021. This group, previously known as Sharp Panda, has primarily targeted organisations in Southeast Asia with phishing campaigns. Recently, however, they have expanded their activities to include government organisations in Africa and the Caribbean, marking a significant change in their strategy.
Starting in late 2023, Sharp Dragon shifted its focus to government entities in Africa and the Caribbean. They used previously compromised email accounts from Southeast Asia to send phishing emails. These emails contained documents that appeared legitimate but were actually designed to deliver Cobalt Strike Beacon malware, replacing their earlier use of VictoryDLL and the Soul framework.
The first attack targeting Africa occurred in November 2023, involving a phishing email about industrial relations between Southeast Asia and Africa. By January 2024, further attacks within Africa suggested that some initial attempts had been successful. Similarly, in December 2023, Sharp Dragon targeted a Caribbean government with a document related to a Commonwealth meeting. This was followed by a broader phishing campaign in January 2024, using a fake survey about opioid threats in the Eastern Caribbean.
Sharp Dragon has been refining its tactics. Their new approach includes more thorough checks on target systems before deploying malware. They now use Cobalt Strike Beacon, which allows them to control infected systems without exposing their custom tools immediately. This change helps them avoid detection and gather more information on their targets.
They have also shifted from using DLL-based loaders to executable files disguised as documents. These files write and execute malicious software and create scheduled tasks for persistence on the infected system.
Another major change is Sharp Dragon's use of compromised servers for their command and control operations. Instead of using dedicated servers, they exploit legitimate servers, making their activities harder to detect. For example, in May 2023, they used a vulnerability in the GoAnywhere platform to take over legitimate servers.
Sharp Dragon's new focus on Africa and the Caribbean shows a broader effort by Chinese cyber groups to increase their influence in these regions. After years of targeting Southeast Asia, Sharp Dragon is using its established tactics to gain foothold in new territories. Their refined methods and careful target selection highlight the need for enhanced cybersecurity measures in these regions, which have yet to be as heavily scrutinized by the global cybersecurity community.
