Stone Panda (also called ChessMaster and APT10) is a hacking group based in China. They normally target big companies and various foreign government institutions. The nature of their targets has led some to believe that the Stone Panda APT (Advanced Persistent Threat) may be funded by the Chinese government. Recently, two other threats by the Stone Panda group made the news – the RedLeaves RAT (Remote Access Trojan) and the ChChes RAT. Today, however, we will be describing a new hacking tool, which appears to be a part of the Stone Panda APT’s arsenal – the ANEL backdoor Trojan.
The propagation method employed in spreading the ANEL Trojan is spear phishing emails. The emails have been crafted for the victims personally, which means that it is highly likely that the Stone Panda hacking group has been gathering information about their targets prior to this attack. Employing this technique increases the chances of the victim to grant access to their system to the ANEL backdoor unwittingly. The phishing emails contained a macro-laced Microsoft Office document which, when opened, will execute the ANEL Trojan.
The ANEL backdoor gains persistence by tampering with the Windows Registry, thus making sure that every time the machine is rebooted, the threat will be executed too. Then, the ANEL Trojan contacts the C&C (Command & Control) server of the perpetrators of the attack. The ANEL backdoor appears to be used as a first-stage payload because it is meant to only collect information about the infiltrated computer and send it to the attackers. Details such as:
- Installed applications.
- Running processes.
- OS version.
- Hardware information.
This information is used to determine if the compromised system is hosting any valuable and sensitive information and helps the attackers decide whether to continue the operation by deploying additional malware on the machine.
The ANEL Trojan seems to be mainly used for planting info collectors that will, in turn, collect sensitive data like browser passwords and email credentials.
The Stone Panda hacking group are working on improving their existing tools and adding new ones to their collection constantly, so it is unlikely that this APT will cease its operations any time soon.