Monday, 23 May 2022 12:17

Secureworks finds Bronze President threat group now targetting Russian speakers

0
Shares
By

Secureworks Counter Threat Unit researchers find evidence that threat group Bronze President appears to be changing its targeting, believing it to reflect changing intelligence collection requirements of the People’s Republic of China.

According to Secureworks Counter Threat Unit (CTU) researchers, Bronze President is changing its targeting in response to the political situation in Europe and the war in Ukraine. The threat group has primarily focused on Southeast Asia and is now targeting Russian-speaking users and European entities. CTU believes Bronze President is gathering political and economic intelligence valuable to the People’s Republic of China (PRC), and the changed focus reflects updated intelligence collection requirements.

Secureworks analysed a malicious executable file in March 2022, which masqueraded as a Russian-language document that was alleged to be from the European Commission. The fake document claimed to address migratory pressure and asylum applications in countries that border Belarus (Lithuania, Latvia, and Poland) and discussed European Union (EU) sanctions against Belarus at the beginning of March 2022.

The filename references Blagoveshchensk, a Russian city close to the China border and home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region. Once the malware, named PlugX, is installed, it provides access to the compromised host to extract sensitive system information, upload and download files, and execute a remote command shell.

The full filename was "Blagoveshchensk - Blagoveshchensk Border Detachment.exe", and uses a PDF icon. By default, Microsoft Windows does not display file extensions and thus many users would interpret the file as being a PDF document.

The executable displays a decoy document while downloading additional files from a staging server at IP address 107.178.71.211. The document is written in English and appears legitimate. CTU researchers do not know the original source of the document or why a Russian filename would display an English-language document, but nevertheless, that is the situation.

The other three files downloaded from the staging server follow the China-based Bronze President’s threat group’s use of DLL search order hijacking to execute PlugX malware payloads. The exe pings Google’s public DNS service with option -n 70 to introduce a delay before executing a signed file.

The legitimate signed file originates from UK-based Global Graphics Software Ltd and is vulnerable to DLL search order hijack. It imports a malicious DocConvDll.dll DLL loader, which exports eight functions - several of which use seemingly random names and contain no useful instructions. The only export called by the parent executable is createSystemFontsUsingEDL.

This function loads, decrypts, and executes FontLog.dat. The .dat sample obtained by CTU researchers was corrupt, but based on similar campaigns the file is likely a PlugX payload. However, analysis of the loader suggests that the malware creates a directory structure under C:\ProgramData\Fuji Xerox\Fonts\ and then copies the three files that DLL side-load and execute the payload to this directory. Once PlugX is installed, the malware provides access to the compromised host to extract sensitive system information, upload and download files, and execute a remote command shell.

The staging server 107.178.71.211 hosts the zyber-i . com domain which has been implicated in a broad PlugX campaign targeting European diplomatic entities. The domain was hosted on 103.107.104.19 from March 2-13, when it served a similarly named group of files for DLL search order hijack. A third-party report links the campaign to the locvnpt . com domain. Another report associates the locvnpt . com domain with attacks in 2020 against the Vatican that CTU researchers attribute to Bronze President. This 2020 campaign also used customised decoy documents and downloaded PlugX .dat files that were loaded by DLL search order hijack. The locvnpt . com domain was hosted on 2EZ Networks IP address 167.88.177.151 in September 2020. Bronze President extensively used that company's IP range in a 2020 campaign targeting Hong Kong, Myanmar, and Vietnam.

Bronze President appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine. The threat group has primarily focused on Southeast Asia, gathering political and economic intelligence valuable to the People's Republic of China (PRC). Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the PRC.

To mitigate exposure to this malware, CTU researchers recommend that organisations use available controls to review and restrict access according to the details CTU has identified.

Read 120 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here

SONICWALL 2022 CYBER THREAT REPORT

The past year has seen a meteoric rise in ransomware incidents worldwide.

Over the past 12 months, SonicWall Capture Labs threat researchers have diligently tracked the meteoric rise in cyberattacks, as well as trends and activity across all threat vectors, including:

Ransomware
Cryptojacking
Encrypted threats
IoT malware
Zero-day attacks and more

These exclusive findings are now available via the 2022 SonicWall Cyber Threat Report, which ensures SMBs, government agencies, enterprises and other organizations have the actionable threat intelligence needed to combat the rising tide of cybercrime.

Click the button below to get the report.

GET REPORT!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Published in Security
Tagged under
David M Williams

David has been computing since 1984 where he instantly gravitated to the family Commodore 64. He completed a Bachelor of Computer Science degree from 1990 to 1992, commencing full-time employment as a systems analyst at the end of that year. David subsequently worked as a UNIX Systems Manager, Asia-Pacific technical specialist for an international software company, Business Analyst, IT Manager, and other roles. David has been the Chief Information Officer for national public companies since 2007, delivering IT knowledge and business acumen, seeking to transform the industries within which he works. David is also involved in the user group community, the Australian Computer Society technical advisory boards, and education.

Latest from David M Williams

Related items

More in this category: « Noname Security appoints Netpoleon Australia, New Zealand distributor
Share News tips for the iTWire Journalists? Your tip will be anonymous
back to top