A well-known Chinese state-backed APT group is believed to have been responsible for multiple ransomware attacks against firms last year, according to new research. A report from Security Joes and Pro reveals how the vendors uncovered the links after investigating an incident in which ransomware encrypted “several core servers” at an unidentified victim organization.
They found samples of malware linked to the DRBControl campaign which targeted major gaming companies and is associated with two well-known Chinese-backed groups, APT27 (aka Emissary Panda) and Winnti. Specifically, they claimed to have detected an older version of the Clambling backdoor used in that campaign, an ASPXSpy webshell previously used by APT27, and the PlugX RAT which is often used in Chinese attacks.
Although Winnti is known for financially motivated attacks, APT27 is generally more focused on data theft. However, the latter has previously been linked to one ransomware attack, featuring the Polar variant.
“There are extremely strong links to APT27 in terms of code similarities and TTPs,” the report noted. “This incident occurred at a time when where COVID-19 was rampant across China with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising.”
The attack itself does not seem to have been particularly sophisticated. The initial vector was a third-party service provider that itself had been infected by a third party, and the attackers used Windows own BitLocker encryption tool to lock down targeted servers.
ASPXSpy was deployed for lateral movement and PlugX and Clambling were loaded into memory using a Google Updater executable vulnerable to DLL side-loading. Popular open source tool Mimikatz was also used in the attack and a publicly available exploit for CVE-2017-0213 was used to escalate privileges.
Gaming firms are an increasingly popular target among financially motivated attackers, according to new research released yesterday by Kela. The threat intelligence firm claimed to have discovered one million compromised internal accounts from gaming companies on the dark web, and 500,000 breached credentials belonging to employees.