Experts linked ransomware attacks to China-linked APT27

Pierluigi Paganini January 05, 2021

Researchers from security firms Profero and Security Joes linked a series of ransomware attacks to the China-linked APT27 group.

Security researchers from security firms Profero and Security Joes investigated a series of ransomware attacks against multiple organizations and linked them to China-linked APT groups.

The experts attribute the attacks to the Chinese cyberespionage group APT27 (aka Emissary PandaTG-3390Bronze Union, and Lucky Mouse).

The APT group has been active since 2010, targeted organizations worldwide, including U.S. defense contractors, financial services firms, and a national data center in Central Asia.

The group was involved in cyber espionage campaigns aimed at new generation weapons and in surveillance activities on dissidents and other civilian groups. 

The cyber espionage group leverage both readily available tools and custom malware in their operations, many tools are available for years, but in recent attacks, their code was updated.

The recent string of attacks launched by the cyber-espionage group took place in 2020 and aimed at several gambling companies.

The hackers used the Windows drive encryption tool BitLocker to lock the servers.

APT27 ransomware

Profero and Security Joes experts reported that the initial infection vector was through a third-party service provider, that had been previously infected through another 3rd party service provider.

The investigation into the ransomware attacks revealed similarities with a campaign uncovered by earlier this year by Trend Micro and tracked as  DRBControl. The DRBControl campaign was attributed to APT27 and Winnti cyberespionage groups.

“With regards to who is behind this specific infection chain, there are extremely strong links to APT27/Emissary Panda, in terms of code similarities, and TTPs [tactics, techniques, and procedures],” reads the report.

In a joint report first shared with BleepingComputer, Profero and Security Joes provides details that link a backdoor involved in the recent ransomware attacks and tracked as Clambling to the malicious code used in the DRBControl campaign.

Unlike DRBControl, the Clambling backdoor did not leverage Dropbox as C2. Experts speculate it could be an older variant of the DRBControl malware, or that the attackers employed different variants of the same malware for different use cases.

The researchers also spotted a web shell name ASPXSpy, which is a modified version of this malware that has been employed in attacks attributed to APT27.

On infected computers, the experts also found the PlugX remote access trojan, widely used by China-linked threat actors, and Mimikatz.

“Earlier this year, Security Joes and Profero responded to an incident involving ransomware and the encryption of several core servers. After an extensive investigation, our team was able to discover samples of malware linked to a campaign reported on by TrendMicro1, known as DRBControl, with links to both APT groups: APT27 and Winnti.” reads the joint report from Profero and Security Joes. “This particular campaign revolves around attacks on major gaming companies, worldwide.”

The cyberspies use to deploy the Clambling malware along with PlugX in the system memory using an older Google Updater vulnerable to DLL side-loading.

“For each of the two samples, there was a legitimate executable, a malicious DLL, and a binary file consisting of shellcode responsible for extracting the payload from itself and running it in memory. Both samples used the signed Google Updater, and both DLLs were labeled goopdate.dll, however the PlugX binary file was named license.rtf, and the Clambling binary file was named English.rtf.” continues the report. “We also discovered a generic Mimikatz sample on the infected machine, that was not modified by the attackers before distributing it onto the machines.”

The experts observed the APT group exploiting the Windows COM Elevation of Privilege Vulnerability tracked as CVE-2017-0213.

“Combining all the links we discovered during our analysis of our incident, it is not out of the question that Winnti is behind the Clambling backdoor, or at least a sub-group operating under the Winnti umbrella.” concludes the report. “The target in question is not a common target for APT27, however Winnti is known to target more niche companies such as video game development companies”

Additional details about the attacks are reported in the joint analysis, including IoCs and Yara rules.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT27)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment