Security researchers investigated a series of ransomware incidents by large-scale companies and discovered malware, which indicates that these attacks may be the work of a hacker organization represented by China.
Although the attack lacks the sophistication commonly seen by advanced threat actors, there is evidence that it will be associated with APT27, which is often involved in cyber espionage, also known as TG-3390, Panda Envoy, Bronze Alliance, Iron Tiger and Lucky mouse.
The attack took place in 2020 and directly targeted at least five companies in the online competition industry. These companies have deployed businesses globally and successfully encrypted several core servers.
Although these are ransomware incidents, threat actors still rely on BitLocker, a drive encryption tool in Windows, to lock the server.
Researchers from the network security companies Profero and Security’s Joes responded to these incidents and found that the hacker had reached the goal through a third-party service provider who had been infected by another third-party provider.
After analyzing the attack, a malware sample linked to DRBControl was discovered . DRBControl is an activity described in a report by Trend Micro earlier this year and attributed to APT27 and Winnti. These two organizations have been active since at least 2010. Chinese hackers have connections. If APT27 focuses on cyber espionage, then Winnti is known for its financial motivations.
In a joint report shared with BleepingComputer , Profero and Security Joes shared evidence pointing to the two groups, saying that they found a sample of the Clambling backdoor, called the backdoor used in the DRBControl campaign.
They also found ASPXSpy Webshel.l. A modified version of this malware has been seen previously in attacks attributed to APT27.
Other malware found on the infected computer includes the PlugX remote access Trojan, which is often mentioned in cybersecurity reports on China-related activities.
The report pointed out: “As for who is behind this particular infection chain, there is a strong connection with APT27/Special Envoy Panda in terms of code similarity and TTP (strategy, technology and procedures).”
Although there are few cyber espionage organizations engaged in espionage activities, this attack is not the first time APT27 has deployed ransomware on victim systems.
Based on the malware commonly used by the group, researchers at Positive Technologies attributed the Polarler software attacks since April 2020 to APT27.
The attack on the five companies in the gambling industry is not particularly complicated, and can even evade detection and move laterally through known methods.
The Profero and Security Joes report stated that the participant used the older Google Updater to reinsert the file to deploy PlugX and Clambling malware in the system memory, which is vulnerable to DLL side loading.
“For each of these two examples, there is a legitimate reset file, a malicious DLL and a binary file composed of shellcode, which is responsible for extracting the payload from itself to make it run in memory. Two examples Both use a signed Google Updater, and both DLLs are marked as goopdate.dll, but the name of the PlugX binary file is license.rtf, and the name of the Clambling binary file is English.rtf.”
Daniel Bunce, chief security analyst at Security Joes, told BleepingComputer that the main takeaway from these attacks was the involvement of cyber espionage organizations in financial-oriented activities.
Profero CEO Omri Segev Moyal said that the boldness of such a malicious organization is another signal that the government should adopt a unified approach to these threats.
Recently, another hacker group believed to work for the government has been linked to a ransomware attack. According to ClearSky, the Iran-backed hacker organization Fox Kitten participated in the Pay2Key ransomware operation against Israeli and Brazilian organizations .