Chinese state sponsored APT is suspected in recent ransomware attackers
Security researchers’ analyses on recent malware attacks on multiple companies indicate that a Chinese-state sponsored hacking group, APT may be in this operation.
The attackers happened in the year 2020 on at least five companies. The attackers reached the targets through a third service provider, which has been infected through another third party provider, said researchers from Profero and Security Joes firms.
The threat actors relied on BitLocker. They successfully encrypt several core services using a drive encryption tool in Windows. The malware samples linked to DRBControl, reported from Trend Micro and attributed to APT27 and Winnti that were active since 2010.
Profero and Security Joes jointly submitted a report which is the clear evidence that these two groups are using a Clambling backdoor to the one used in DRBControl campaign. Also, they uncovered the ASPXSpy webshell, whose modified version has been seen in the attack attributed to APT27.
The report also reads, “With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs [tactics, techniques, and procedures].
The malicious actors deployed PlugX and Clambing malware in the system memory using older Google updater executable vulnerable to DLL side loading.
“For each of the two samples, there was a legitimate executable, a malicious DLL, and a binary file consisting of shellcode responsible for extracting the payload from itself and running it in memory. Both samples used the signed Google Updater, and both DLLs were labeled goopdate.dll, however the PlugX binary file was named license.rtf, and the Clambling binary file was named English.rtf.”
Additionally, a vulnerability from 2017 (CVE-2017-0213) was leveraged that supposedly had exploited to escalate privileges on the system.
Security analyst from Security Joes said, the key takeaway from these attacks is the involvement of the hacker group in a financially-driven campaign.
Such a malicious group is a signal that governments should have a unified approach in fighting against these threats, said researchers at Profero.