Goblin Panda against the Bears

During my last investigation (here), I’ve found two RTFs malware documents with the same techniques of exploitation of CVE-2017–11882:

A file 8.t in %TMP% with Package Ole Object

The same loop of decryption

The same runPE after overwriting in memory EQNEDT32.exe

But the payload is really different. It’s not a version of PlugX but a version of Sisfider studied by Ncc group. https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8570-rtf-and-the-sisfader-rat/

With the behaviour graph of Joe Sandbox, we can recognize the same interactions with operating system than my last article and the paper of NCC Group.

Behaviour of malwares

The difference with the version studied by NCC Group is the Package Ole Object. In the article of NCC Group, the researchers talk about a SCT File and many javascript manipulations for dropping the RAT on the disk and to start it.

Here, the payload is encrypted in 8.t file

If we analyze EQNEDT32.exe overwritten to recognise the payload, we have the same technics anti emulation with the same value.

In a thread, the process posts in a queue the value 5ACE8D0Ah.

Anti emulation tricks
Anti emulation tricks

The verification is calling GetMessage() and the value is stored in EAX in the function sub_401A60.

The comparaison is made in the calling function sub_4027D0.

Anti emulation tricks verification

Juste after we found again the loop of decryption for the config.

call to loop of decryption
Loop of decrypting config

It’s the same algorithm described: a simple XOR loop with rolling key.

The mechanism of persistent is the same with a service creation just after dropping differents files and a privilege escalation.

We found the same name of the dll files.

Persistence and loading agent

The malware overwrite the comobject

{9BA05972-F6A8–11CF-A442–00A0C90A8F39} to execute when this com object is called to make a persistence

ComObject Adding

All evidences show is the same payload Sisfader RAT.

Threat Intel

The toolset for exploiting the module of equation is the same using of the compromission for Vietnameses Officials used by Goblin Panda. (APT 1937CN)

If we check the domain contacted by EQNEDT32.exe is kmbk8.hicp.net. This address is a real good pivot. It makes the link with Goblin Panda and SisFader RAT.

And the infrastructure is very interesting this domains resolved on three IPs:, and

Theses addresses can permit to found others domains:

Sd123.eicp.net with new IP and cv3sa.gicp.net with new IP


The Ip Address has two domains:




All infrastructure is based at Shanghai.

The victims are different than the Vietnameses campaign.

They targeted Telecom Firms pretending to be the Intelligence Service of Russia (FSB)

RTFs content

So Gobelin Panda targets like the report of CrowdStrike https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf he telecom industries in Russia.


Goblin Panda used Sisfader RAT to target the Telecom Firms russian with the same exploitation techniques for Vietnameses Officials. They updated theirs technics than the report of NCC group.





Domains IP: cv3sa.gicp.net cv3sa.gicp.net kmbk8.hicp.net sd123.eicp.net 36106g.com cv3sa.gicp.net kmbk8.hicp.net sd123.eicp.net www.36106g.com cv3sa.gicp.net kmbk8.hicp.net sd123.eicp.net