A China based Advanced persistent threat actor (APT) who has been active since last year seems to be using ransomware as a smokescreen for state sponsored espionage.
The group has been using just one malware loader called the HUI loader, which seems to only be used by Chinese hackers. They use that to load Cobalt Strike Beacon and use that specific ransomware software.
Unlike most ransomware gangs that become very familiar with one ransomware tool, these hackers have used, at least, 5 different ransomware tools – LockFile, AtomSilo, Rook, Night Sky and Pandora. It is possible that they are doing this to look like several different gangs.
Researchers are calling this gang Bronze Starlight.
The groups victims include a pharmaceutical company, law firm and media companies in the U.S. Other victims include electronics manufacturers and aerospace/defense companies.
These are the types of companies that China likes to spy on and steal data from.
In at least one case Bronze Starlight installed a backdoor (to be able to steal data) but did not deploy any ransomware.
Their software is also evolving. A new version includes a number of detection evasion techniques like disabling Windows Antimalware Scan Interface so that Windows won’t detect malware that it knows about.
But in one way, these attacks are not sophisticated – they are using known unpatched exploits, for the most part.
If you have valuable (to you or an adversary) intellectual property or personally identifiable information of your customers, you need to make sure that you are making it hard for the bad guys. Zero trust is part of this, as are a number of other processes and technologies. If you need help with implementing this, or if you want to see how secure you currently are, please contact us.
Credit: Dark Reading