Sunday, October 17, 2021

Experts linked Chinese APT27 Group to Ransomware Attacks

Must Read

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine...

Gmail Now supports email logo authentication BIMI

Google LLC today announced a small but potentially important email security update. Gmail is officially rolling out support for...

Adobe security update squashes critical vulnerabilities in Lightroom, Prelude

Adobe's final key patch around 2020 has coped with random code and JavaScript implementation bugs.Adobe's past scheduled security update...

Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China. 

A well-known Chinese state-backed APT group is believed to have been responsible for multiple ransomware attacks against firms last year, according to new research.  

Researchers from security firms Profero and Security Joes linked a series of ransomware attacks to the China-linked APT27 group.

Although the attacks lack the sophistication normally seen with advanced threat actors, there is strong evidence linking them to APT27, a group normally involved in cyber espionage campaigns, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse.

The APT group has been active since 2010, targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.

The attacks happened in 2020 and directly targeted at least five companies in the online gambling sector that operate globally and successfully encrypted several core servers. 

The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups. 

While these were ransomware incidents in earnest, the threat actor relied on BitLocker, the drive encryption tool in Windows hackers used BitLocker to lock the servers.

The researchers from cybersecurity firms Profero and Security Joes responded to these incidents and found that the hackers reached their targets through a third-party service provider, which had been infected through another third-party provider.

They found samples of malware linked to the DRBControl campaign which targeted major gaming companies and is associated with two well-known Chinese-backed groups, APT27 (aka Emissary Panda) and Winnti. 

Specifically, they claimed to have detected an older version of the Clambling backdoor used in that campaign, an ASPXSpy web shell previously used by APT27, and the PlugX RAT which is often used in Chinese attacks. 

Other malware found on infected computers includes the PlugX remote access trojan, regularly mentioned in cybersecurity reports about campaigns linked to China. 

Although Winnti is known for financially motivated attacks, APT27 is generally more focused on data theft. However, the latter has previously been linked to one ransomware attack, featuring the Polar variant.

Researchers at Positive Technologies attributed a Polar ransomware attack from April 2020 to APT27, based on the use of malware normally used by this group.

Experts linked Chinese APT27 Group Linked to Ransomware Attacks

The attacks against the five companies in the gambling sector were not particularly sophisticated and relied on known methods to evade detection and move laterally.

ASPXSpy was deployed for lateral movement and PlugX and Clambling were loaded into memory using a Google Updater executable vulnerable to DLL side-loading.

Popular open-source tool Mimikatz was also used in the attack and a publicly available exploit for CVE-2017-0213 was used to escalate privileges.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This