Experts linked ransomware attacks to China-linked APT27

Researchers from security firms Profero and Security Joes linked a series of ransomware attacks to the China-linked APT27 group.

Security researchers from security firms Profero and Security Joes investigated a series of ransomware attacks against multiple organizations and linked them to China-linked APT groups.

The experts attribute the attacks to the Chinese cyberespionage group APT27 (aka Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse).

The APT group has been active since 2010, targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.

The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups. 

The cyber espionage group leverage both readily available tools and custom malware in their operations, many tools are available for years, but in recent attacks, their code was updated.

The recent string of attacks launched by the cyber espionage group took place in 2020 and aimed at at least five companies in the online gambling sector.

The hackers used the Windows drive encryption tool BitLocker to lock the servers.

The researchers from cybersecurity firms Profero and Security Joes responded to these incidents and found that the hackers reached their targets through a third-party service provider, which had been infected through another third-party provider.

Analyzing the attacks revealed malware samples linked to DRBControl, a campaign described earlier this year in a report from Trend Micro and attributed to APT27 and Winnti, both groups active since at least 2010 and associate with Chinese hackers. If APT27 focuses on cyberespionage, Winnti is known for its financial motivation.

In a joint report shared with BleepingComputer, Profero and Security Joes share evidence pointing to these two groups saying that they found a sample of the Clambling backdoor similar to the one used in the DRBControl campaign.

They also uncovered the ASPXSpy webshell. A modified version of this malware has been seen previously in attacks attributed to APT27.

Other malware found on infected computers includes the PlugX remote access trojan, regularly mentioned in cybersecurity reports about campaigns linked to China.

“With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs [tactics, techniques, and procedures],” the report reads.

Although a cyberespionage group engaging in a financially-motivated campaign is unusual, this attack would not be the first time APT27 deploys ransomware on victim systems.

Researchers at Positive Technologies attributed a Polar ransomware attack from April 2020 to APT27, based on the use of malware normally used by this group.

The attacks against the five companies in the gambling sector were not particularly sophisticated and relied on known methods to evade detection and move laterally.

“Earlier this year, Security Joes and Profero responded to an incident involving ransomware and the encryption of several core servers. After an extensive investigation, our team was able to discover samples of malware linked to a campaign reported on by TrendMicro1, known as DRBControl, with links to both APT groups: APT27 and Winnti.” reads the joint report from Profero and Security Joes. “This particular campaign revolves around attacks on major gaming companies, worldwide.”

The researchers spotted a backdoor, tracked as Clambling, that appears similar to the malware employed in the DRBControl campaign uncovered by Trend Micro. Unlike DRBControl, the Clambling backdoor did not leverage Dropbox as C2. Experts speculate it could be an older variant of the DRBControl malware, or that the attackers employed different variants of the same malware for different use cases.

The cyberspies use to deploy the Clambling malware along with PlugX in the system memory using an older Google Updater vulnerable to DLL side-loading.

“For each of the two samples, there was a legitimate executable, a malicious DLL, and a binary file consisting of shellcode responsible for extracting the payload from itself and running it in memory. Both samples used the signed Google Updater, and both DLLs were labeled goopdate.dll, however the PlugX binary file was named license.rtf, and the Clambling binary file was named English.rtf.” continues the report. “We also discovered a generic Mimikatz sample on the infected machine, that was not modified by the attackers before distributing it onto the machines.”

The experts observed the APT group exploiting the Windows COM Elevation of Privilege Vulnerability tracked as CVE-2017-0213.

“Combining all the links we discovered during our analysis of our incident, it is not out of the question that Winnti is behind the Clambling backdoor, or at least a sub-group operating under the Winnti umbrella.” concludes the report. “The target in question is not a common target for APT27, however Winnti is known to target more niche companies such as video game development companies”

Additional details about the attacks are reported in the joint analysis, including IoCs and Yara rules.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, APT27)

The post Experts linked ransomware attacks to China-linked APT27 appeared first on Security Affairs.