Security researchers at Profero and Security Joes firms details about a Chinese APT, that’s moving towards performing ransomware attacks. The group is identified as APT27, also known as Emissary Panda and other names. Researchers found evidence from APT27 using backdoor and file encryption malware.

Chinese Cyberespionage Groups Involving in Ransomware

Chinese APTs Performing Ransomware Attacks Using Legitimate Tools

It’s unusual that cyberespionage groups involve in ransomware attacks, as they’ve only concerned about snooping and data-stealing activities for their backing government. But, researchers at Profero and Security Joes security firms have found that Chinese APT, spotted as APT 27 has entered into ransomware space lately.

The group is also identified with various names like Emissary Panda, TG-3390, Emissary Panda, LuckyMouse, BRONZE UNION, and Iron-Tiger. It’s said the group’s using several tools that were meant for encrypting the target systems. These include legitimate services like Google updates and BitLocker, Microsoft’s drive encrypting software.

As per attacks noted last year, the APT 27 has targeted at least five firms in the online gambling space globally, and has encrypted their core servers successfully using the BitLocker! It’s reported that they have attained this by exploiting a third-party service on the target’s network, which in turn obtained from another third-party service.

Examining the attack, researchers found samples of malware like DRBControl, which is the same tool described by Trend Micro in an earlier campaign that’s attributed to be used by APT 27 and Winnti, both of which are Chinese backed cyberespionage groups.

In a joint report released lately, Security Joes and Profero claim to have found a sample of Clambling backdoor, used for setting backdoors in the target system for reconnaissance. They have also got ASPXSpy web shell and PlugX RAT, where the latter was mention several times in campaigns linked to Chinese groups.

Besides these two Chinese APTs, researchers at Positive Technologies have linked APT27 to an attack that happened on Polar in April 2020. It’s said that the APT 27 group is using general means to approach and infect targets, like these PlugX and Clambling malware, both fed into system memory through an older Google Updater executable, which has a DLL side-loading bug.

Further, the attackers are exploiting a previously known vulnerability, tracked as CVE-2017-0213 to escalate privileges on the system. All in all, it’s strongly said that Chinese APTs are gradually moving onto financially motivated attacks, which is unusual from nation-state backed hacker groups.


Please enter your comment!
Please enter your name here