Goblin Panda against the Bears
By Sebdraven
Published: 2018-08-03 · Archived: 2026-04-05 16:01:09 UTC
During my last investigation (here), I’ve found two RTFs malware documents with the same techniques of
exploitation of CVE-2017–11882:
A file 8.t in %TMP% with Package Ole Object
The same loop of decryption
The same runPE after overwriting in memory EQNEDT32.exe
But the payload is really different. It’s not a version of PlugX but a version of Sisfider studied by Ncc group.
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8570-rtf-and-the-sisfader-rat/
With the behaviour graph of Joe Sandbox, we can recognize the same interactions with operating system than my
last article and the paper of NCC Group.
Press enter or click to view image in full size
Behaviour of malwares
The difference with the version studied by NCC Group is the Package Ole Object. In the article of NCC Group,
the researchers talk about a SCT File and many javascript manipulations for dropping the RAT on the disk and to
start it.
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
Page 1 of 9

Here, the payload is encrypted in 8.t file
If we analyze EQNEDT32.exe overwritten to recognise the payload, we have the same technics anti emulation
with the same value.
In a thread, the process posts in a queue the value 5ACE8D0Ah.
Press enter or click to view image in full size
Anti emulation tricks
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
Page 2 of 9

Anti emulation tricks
The verification is calling GetMessage() and the value is stored in EAX in the function sub_401A60.
The comparaison is made in the calling function sub_4027D0.
Press enter or click to view image in full size
Anti emulation tricks verification
Juste after we found again the loop of decryption for the config.
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
Page 3 of 9

call to loop of decryption
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
Page 4 of 9

Loop of decrypting config
It’s the same algorithm described: a simple XOR loop with rolling key.
The mechanism of persistent is the same with a service creation just after dropping differents files and a privilege
escalation.
Press enter or click to view image in full size
We found the same name of the dll files.
Press enter or click to view image in full size
Persistence and loading agent
The malware overwrite the comobject
{9BA05972-F6A8–11CF-A442–00A0C90A8F39} to execute when this com object is called to make a persistence
Press enter or click to view image in full size
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
Page 5 of 9

Press enter or click to view image in full size
ComObject Adding
All evidences show is the same payload Sisfader RAT.
Threat Intel
The toolset for exploiting the module of equation is the same using of the compromission for Vietnameses
Officials used by Goblin Panda. (APT 1937CN)
If we check the domain contacted by EQNEDT32.exe is kmbk8.hicp.net. This address is a real good pivot. It
makes the link with Goblin Panda and SisFader RAT.
Get Sebdraven’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
And the infrastructure is very interesting this domains resolved on three IPs:
122.158.140.100, 122.158.140.100 and 103.255.45.200
Theses addresses can permit to found others domains:
Sd123.eicp.net with new IP 180.131.58.9 and cv3sa.gicp.net with new IP 1.188.233.201
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
Page 6 of 9

Press enter or click to view image in full size
Infrastructure
The Ip Address 103.255.45.200 has two domains:
www.36106g.com
36106g.com
Press enter or click to view image in full size
Infrastructure
All infrastructure is based at Shanghai.
The victims are different than the Vietnameses campaign.
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
Page 7 of 9

They targeted Telecom Firms pretending to be the Intelligence Service of Russia (FSB)
Press enter or click to view image in full size
RTFs content
So Gobelin Panda targets like the report of CrowdStrike https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf he telecom industries in Russia.
Conclusion
Goblin Panda used Sisfader RAT to target the Telecom Firms russian with the same exploitation techniques for
Vietnameses Officials. They updated theirs technics than the report of NCC group.
IOCs:
Rtfs:
722e5d3dcc8945f69135dc381a15b5cad9723cd11f7ea20991a3ab867d9428c7
71c94bb0944eb59cb79726b20177fb2cd84bf9b4d33b0efbe9aed58bb2b43e9c
Domains IP:
1.188.233.201 cv3sa.gicp.net
1.188.236.22 cv3sa.gicp.net
1.188.236.22 kmbk8.hicp.net
1.188.236.22 sd123.eicp.net
103.255.45.200 36106g.com
103.255.45.200 cv3sa.gicp.net
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
Page 8 of 9

103.255.45.200 kmbk8.hicp.net
103.255.45.200 sd123.eicp.net
103.255.45.200 www.36106g.com
122.158.140.100 cv3sa.gicp.net
122.158.140.100 kmbk8.hicp.net
122.158.140.100 sd123.eicp.net
Source: https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4
Page 9 of 9