The notorious Chinese-linked threat group, dubbed Bronze Union, has been spotted in a widespread 2018 campaign updating its arsenal of cyberweapons by breathing new life into old tools.
The threat group was spotted in 2018 using updated source code to target data owned by political, technology, manufacturing and humanitarian organizations, researchers with the Dell Secureworks Counter Threat Unit told Threatpost, Wednesday.
“In 2018, CTU researchers identified evidence of Bronze Union leveraging tools that have been publicly available for years,” said researchers in their report, which they released ahead of next week’s RSA 2019 conference. “However, the variants used in 2018 included updated code.”
Bronze Union (also known as APT 27, LuckyMouse, and Emissary Panda), is believed to be located in the People’s Republic of China and has been around 2013, researchers said. The group has historically leveraged publicly available tools to access networks with an aim of collecting political and military intelligence.
In its most recent campaign, the threat group used phishing, scan and exploit, and watering hole techniques to target and compromise organizations, researchers told Threatpost.
“Historically Bronze Union have made extensive use of watering hole techniques where the threat actor compromises a specific website and uses it to deliver malware to site visitors,” Matthew Webster, senior security researcher at Secureworks, told Threatpost. “This technique is particularly effective when the site visitors have a specific demographic. In the past we’ve seen evidence of the group targeting important Turkish organizations using this technique, likewise in 2018 there was evidence of the group doing something similar in Mongolia.”
Most notably, the threat group was using updated remote access trojans (RATs) to launch its attacks, including ZxShell, Gh0st RAT, and SysUpdate malware.
In mid-2018, researchers said they spotted the threat group deploying an updated version of the ZxShell remote access trojan (RAT).
ZxShell has been around for awhile. It was developed in 2006 by threat actors using the alias “LZX,” who then publicly released the source code in 2007. However, Bronze Union’s deployments of the RAT in 2018 contained some previously unobserved properties “that suggest the threat group’s capabilities continue to evolve,” researchers said.
For instance, the malware was spotted embedded in the well-known HTran packet redirection tool. HTran is a rudimentary connection bouncer, designed to redirect Transmission Control Protocol (TCP) traffic destined for one host to an alternate host. The malware was also signed with digital certificates by Hangzhou Shunwang Technology Co., Ltd and Shanghai Hintsoft Co., Ltd. “These certificates are not exclusively used by Bronze Union but may indicate Bronze Union activity,” said researchers.
The threat group also utilized new variants of the publicly available Gh0st RAT source code. In a 2018 campaign, Bronze Union deployed modified Gh0st RAT malware to attack multiple systems within targeted environments.
When executed with administrator privileges, the Gh0st RAT binary file was written to %System%\FastUserSwitchingCompatibilitysex.dll.
The installer then created a Windows service and associated service dynamic link library (DLL).
“Gh0st RAT variants deployed by the group in 2018 had modified elements of the malware network traffic that would make it more challenging for some security tools to detect,” researchers told Threatpost.
Finally, the threat group used proprietary remote access tool SysUpdate, a flexible malware with easily-added capabilities by supplying a new payload file. “In 2018 we identified evidence of SysUpdate being deployed via malicious Rich Text Format (RTF) documents, suggesting that the group may deliver SysUpdate via phishing,” researchers said.
Once downloaded, SysUpdate executed a second payload file. The operator could remove second-stage capabilities at any time and revert to the first stage by supplying a replacement payload file, researchers said. “By withdrawing second-stage payloads when not in use, operators can limit exposure of their full capabilities if the malicious activity is detected,” they said.
These capabilities “included remote access capabilities such as managing files and processes, launching a command shell, interacting with services, taking screenshots, and uploading and downloading additional malware payloads,” researchers said.
Future of Bronze Union
When it comes to the future of Bronze Union, “we fully expect that it will be more of same in 2019,” Webster told Threatpost.
“We anticipate that the group will continue to evolve their tools and capabilities to ensure their effectiveness,” they said. “This constant evolution means that for organization facing this threat it’s important to have strategies in place that focus on threat actor behaviours rather than known bad tools and infrastructure which will inevitably change over time. Equally once the group have access to an environment they will use credentials, tools and services that are native to the victim environment – so it quickly becomes an issue of being able to spot suspicious behaviours amongst the noise of normal business practice.”