Search This Blog

Showing posts with label APT31. Show all posts

Widespread Cyber Espionage Attacks Use New Chinese Spyware


According to new research, a threat actor believed to be of Chinese origin was linked to a series of ten attacks from January to July 2021 that involved the deployment of a remote access trojan (RAT) on infected computers and targeted Mongolia, Russia, Belarus, Canada, and the United States. The breaches have been linked to APT31 (FireEye), an advanced persistent threat that has been dubbed Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks) by the cybersecurity community. 

BRONZE VINEWOOD has hidden malicious activity within legal network traffic by using prominent social media and code repository sites. Previous BRONZE VINEWOOD campaigns leveraging DLL search-order hijacking to distribute the HanaLoader downloader malware and other malicious payloads have also been uncovered by Secureworks Counter Threat Unit (CTU) researchers. 

According to researchers, the group is thought to be a Chinese state-sponsored cyberespionage actor attempting to acquire intelligence to aid the Chinese government and state-owned firms. 

In the attacks, a new malware dropper was utilized, which included a downloader for next-stage encrypted payloads from a remote command-and-control server, as well as the ability to decode and execute the malware. The malicious code can download further malware, putting vulnerable victims at risk even more, as well as perform file operations, exfiltrate sensitive data, and even remove itself from the compromised machine. 

Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov discovered the self-delete command fascinating since it employed a bat file to wipe all of the registry keys and files created as a result of running the command. 

The malware's similarities to a trojan known as DropboxAES RAT, which was used by the same threat group last year and relied on Dropbox for command-and-control (C2) communications, are also worth noting, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and delete the espionage tool.

Despite the fact that BRONZE VINEWOOD calls the software DropboxAES RAT, CTU researchers discovered that it does not use the Advanced Encryption Standard (AES). Instead, it uses the ChaCha20 stream cypher to encrypt and decrypt data. When encrypting data, older versions of the malware may have used AES encryption. 

"The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular," the researchers concluded.

APT31 hackers attacked Russian companies for the first time

The representatives of the company Positive Technologies reported that the hacker group APT31, known for its attacks on state structures of different countries, attacked Russian companies for the first time. A number of experts associate the APT31 group, which also appears under the names Hurricane Panda and Zirconium, with the Chinese special services.

The representative of Positive Technologies did not disclose the number of attacked companies and their names, as well as the damage caused. He explained it by the confidentiality policy.

According to Positive Technologies experts, since the spring of 2021, APT31 has begun to expand the geography of attacks and use a new method of hacking and infecting gadgets.

According to the company, hackers send phishing emails that contain a link to a fake domain — inst.rsnet-devel[.]com. It completely imitates the domain of certain government agencies. When the link is opened, a so-called dropper (remote access Trojan) gets into the user's computer, which creates a malicious library on the infected device and installs a special application. The application then launches one of the functions of the downloaded malicious library, and the attacker takes control of the computer.

Another hackers' trick was that in some attacks the dropper was signed with a real valid digital signature, and many security tools perceived it as a program from a certified manufacturer. Positive Technologies experts believe that the signature was most likely stolen, indicating that the group was well-prepared.

It is worth noting that the activity of APT31 has been recorded since the 2010s. Hackers attack mainly the public sector, collecting confidential information. According to Microsoft, from March to September 2020, about 1 thousand attacks of this group on users related to the presidential elections in the United States and candidates for this post were recorded. APT31 hacker attacks were also reported in Norway, Finland, Germany, Mongolia, Canada and Belarus.