Numbered Panda Uses CPL Files in Cyberespionage Campaign

Delaware, USA – November 15, 2017 – Attackers extremely rarely use CPL files to disguise malware, and usually, such attacks are performed by the notorious cybergangs. Using this file format allows them to bypass Windows AppLocker and causes less suspicion when cybersecurity officers investigate suspicious activity on a compromised system. The Palo Alto Networks unit has discovered a new tool for cyber espionage – Reaver backdoor trojan, which is used by the APT12 group, also known as Numbered Panda, in campaigns since late 2016. Researchers found three versions of this malware, and the latest samples were discovered this month. Thus, the campaign using the Reaver trojan is still ongoing. The discovered infrastructure used by this malware indicates a link to SunOracle trojan. In addition to collecting information about the victim’s system and reading files, Reaver allows adversaries to modify register and services, delete files, spawn and terminate processes.

So far it has not been possible to establish who is the primary target of this campaign. Cybercriminals from Numbered Panda group are very inventive and have been active for about seven years, targets of their previous campaigns were located in Asia and the Middle East. This malware uses HTTP or TCP protocol to communicate with the C2 server, so its activity can be detected by monitoring the network protocols. To do this, you can get Netflow Security Monitor use case, which allows your SIEM to profile traffic in real-time, detect traffic spikes and data leakage.