Secureworks researchers reported that China-linked APT group BRONZE PRESIDENT conducted a new campaign aimed at government officials in Europe, the Middle East, and South America with the PlugX malware.
Attacks part of this campaign were spotted in June and July 2022.
PlugX is modular malware has backdoor capabilities that could be extended by downloading additional plugins.
“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests.” reads the analysis published by Secureworks.
The Bronze President group is targeting political and law enforcement organizations and NGOs in Asia.
The China-based group has been active at least since 2014, it focused on political and law enforcement organizations and NGOs in Asia. The APT group leverages both custom remote access tools and publicly available remote access and post-compromise to compromise target networks.
In the recent campaign, the malware is included in RAR archive files. Once opened the archive, it will displays a Windows shortcut (LNK) file that masquerades as a document. Upon clicking the Windows shortcut file, the malware will be executed.
The archive also includes a hidden folder that contains the malware, embedded eight levels deep in a sequence of hidden folders named with special characters. The attackers used this trick in an attempt of bypassing mail-scanning products.
The shortcut executes a renamed legitimate file contained in the eighth hidden folder. The attackers also drop a malicious DLL and an encrypted payload file, noticing that the legitimate binary files are vulnerable to DLL search order hijacking.
“When executed, they import the malicious DLL that loads, decrypts, and executes the payload file. In each sample analyzed by CTU researchers, the shortcut file metadata indicates the file was created on a Windows system either with hostname “desktop-n2v1smh” or “desktop-cb248vr”.” continues the report.
“Once running, the payload drops a decoy document to the logged-on user’s %Temp% directory and copies the three files to a ProgramData subdirectory using the pattern “<Application><3 characters>” (e.g., Operavng)”
The researchers recommend organizations in geographic regions of interest to China to monitor the activity of this APT group, they also shared indicators of compromise for this campaign.
“BRONZE PRESIDENT has demonstrated an ability to pivot quickly for new intelligence collection opportunities. Organizations in geographic regions of interest to China should closely monitor this group’s activities, especially organizations associated with or operating as government agencies.” concludes the report.
(SecurityAffairs – hacking, BRONZE PRESIDENT)