A recent slew of related ransomware attacks on top videogame companies has been associated with the notorious Chinese-linked APT27 threat group, suggesting that the advanced persistent threat (APT) is swapping up its historically espionage centralized tactics to adopt ransomware, a new report says.
Researchers noticed the “strong links” to APT27 when they were brought in as part of incident response for ransomware activity that affected several major gaming companies globally last year as part of a supply-chain attack. Details of these incidents (including specific company names and the timeline) are scant. However, while researchers told Threatpost that they could not name the specific gaming companies attacked, they said that five companies were affected. What’s more, two of the affected companies are “among the largest in the world,” they said.
APT27 (also known as Bronze Union, LuckyMouse, and Emissary Panda), is believed to operate from the People’s Republic of China and has been around since 2013, researchers said. The group has historically leveraged publicly available tools to access networks with an aim of collecting political and military intelligence. And, it’s previously been focused on cyberespionage and data theft, rather than monetary profit.
“Previously, APT27 was not necessarily focused on financial gain, and so employing ransomware-actor tactics is highly unusual. However this incident occurred at a time where COVID-19 was rampant across China, with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising,” according to researchers with Profero and Security Joes, in a joint Monday analysis [PDF].
The Supply-Chain Attack
The initial infection vector for the attack was through a third-party service provider, that had been previously infected through another third-party service provider, researchers said.
Upon further investigation into the security incident, researchers discovered malware samples linked to a campaign from the beginning of 2020, called DRBControl. Trend Micro researchers who previously discovered this campaign campaign noted that it had links to APT27 and the Winnti supply-chain specialist gang. The hallmarks of the DRBControl backdoor attack was that it hit gambling companies, and used Dropbox for command-and-control (C2) communications.
Profero and Security Joes researchers discovered a “very similar sample” of DRBControl in the more recent campaign (which they dubbed the “Clambling” sample) – though this variant lacked the Dropbox capabilities.
Researchers found that DRBControl – as well as a PlugX sample – was then loaded into memory using a Google Updater executable, which was vulnerable to DLL side-loading (side-loading is the process of using a malicious DLL to spoof a legitimate one, and then relying on legitimate Windows executables to execute the malicious code). Both samples used the signed Google Updater, and both DLLs were labeled goopdate.dll, researchers said.
“For each of the two samples, there was a legitimate executable, a malicious DLL and a binary file consisting of shellcode responsible for extracting the payload from itself and running it in memory,” said researchers.
After the threat actors gained a foothold onto the company systems through the third-party compromise, an ASPXSpy webshell was deployed, to assist in lateral movement.
Another process that stood out in this incident was the encryption of core servers using BitLocker, which is a drive encryption tool built into Windows, said researchers.
“This was particularly interesting, as in many cases threat actors will drop ransomware to the machines, rather than use local tools,” they said.
APT27 Clues
Researchers observed “extremely strong links” to APT27 in terms of code similarities, and tactics, techniques and procedures (TTPs).
Researchers for instance said that they found similarities between the DRBControl sample and older confirmed APT27 implants. In addition, a modified version of the ASPXSpy webshell used in the campaign was previously seen in APT27-attributed cyberattacks. And, alongside the discovered backdoor, researchers also found a binary responsible for escalating privileges by exploiting CVE-2017-0213, a Microsoft Windows Server vulnerability that APT27 has used before.
“APT27 has been known to use this exploit to escalate privileges in the past; with one incident resulting in a cryptominer being dropped to the system,” said researchers.
Beyond the arsenal of tools matching up to previous APT27 operations, researchers noted code similarities with previous APT27 campaigns; and, the domains used in this operation were matched to other operations linked to APT27 previously, Omri Segev Moyal, CEO of Profero, told Threatpost.
Researchers also pointed to similarities in various processes used within the attack that link back to previous APT27 attacks, including the group’s method of using the number of arguments to execute different functions, and the usage of DLL side-loading with the main payload stored in a separate file.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chains prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.