Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the gravity-forms-pdf-extended domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/laditech/public_html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the post-title-marquee-scroll domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/laditech/public_html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the schema-and-structured-data-for-wp domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/laditech/public_html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the uael domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/laditech/public_html/wp-includes/functions.php on line 6114

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wordpress-seo domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/laditech/public_html/wp-includes/functions.php on line 6114
Chinese hackers use ransomware as decoy for cyber espionage

Chinese hackers use ransomware as decoy for cyber espionage

Chinese Hackers Employ Ransomware as a Ruse to Conduct Cyber Espionage

Two Chinese hacking gangs are using ransomware as a ruse to conceal their illicit operations as they engage in cyber espionage and steal intellectual property from Western and Japanese businesses.

The use of ransomware in espionage operations, according to threat experts at Secureworks, is done to hide their footprints, make attribution more difficult, and produce a potent distraction for defenders.

Finally, unlike threat organizations supported by the Chinese government, the exfiltration of vital information is disguised as financially motivated attacks.

Ransomware behaviour that seems odd

The two hacker activity groups that Secureworks has identified are “Bronze Riverside” (APT41) and “Bronze Starlight” (APT10). Both of these clusters use the HUI Loader to spread remote access trojans like PlugX, Cobalt Strike, and QuasarRAT.

In order to spread ransomware variants like LockFile, AtomSilo, Rook, Night Sky, and Pandora, “Bronze Starlight” began using Cobalt Strike in March 2022.

The hackers also employed a new version of HUI Loader in these attacks, which has the ability to hook Windows API calls and deactivate the functionality of Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI).

Using AtomSilo, Night Sky, and Pandora in three different attacks, the setup of Cobalt Strike beacons revealed a shared C2 address. Additionally, this year’s HUI Loader sample uploads to Virus Total came from the same source.

In contrast to commercially motivated ransomware operations, which focus on a small number of victims over a short period of time before abandoning the project entirely, LockFile, AtomSilo, Rook, Night Sky, and Pandora’s activity and victimology are unusual.

Additionally, Secureworks notes that there are code parallels between Pandora and the most recent release of HUI Loader, suggesting that this shaky connection may be indicative of a single organization.

While Night Sky, Pandora, and Rook were all derived from Babuk source code and also share a great deal of similarities in their coding, LockFile and AtomSilo also seem to be highly similar.

These five ransomware operations left no trace in the world of cybercrime and never actually developed into a serious menace. Additionally, they were all left behind a little too soon.

However, “Bronze Starlight” may be developing transient ransomware variants only to disguise its cyber-espionage activities as ransomware assaults, lessening the likelihood of dealing with the effects of precise attribution.

Nothing can be said with certainty because all of the ransomware strains presented are based on publicly accessible or leaked code and Chinese threat groups are known for sharing backdoors and infrastructure.

However, Securework’s findings are intriguing and provide another another justification for defenders to implement strong ransomware detection and protection solutions and conduct a thorough post-cleanup inspection of all systems.

It is unknown whether these ransomware families were created as ruses to conceal other malicious activity, but if so, it wouldn’t be the first time ransomware has this function.

In order to divert employees while trying to steal money using the SWIFT money transferring system, threat actors in 2018 installed disk-wiping malware on hundreds of machines at a Chilean bank.

More recently, a day before Russia invaded Ukraine, false ransomware called HermeticWiper was installed on Ukrainian networks.

Source

Share this on

Facebook
LinkedIn
Twitter
Pinterest
Email
WhatsApp
Telegram
Skype