APT

China-Linked BRONZE PRESIDENT APT targets Government officials worldwide

China-linked BRONZE PRESIDENT group is targeting government officials in Europe, the Middle East, and South America with PlugX malware.

Secureworks researchers reported that China-linked APT group BRONZE PRESIDENT conducted a new campaign aimed at government officials in Europe, the Middle East, and South America with the PlugX malware.

Attacks part of this campaign were spotted in June and July 2022.

PlugX is modular malware has backdoor capabilities that could be extended by downloading additional plugins.

“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests.” reads the analysis published by Secureworks.

The Bronze President group is targeting political and law enforcement organizations and NGOs in Asia.

The China-based group has been active at least since 2014, it focused on political and law enforcement organizations and NGOs in Asia. The APT group leverages both custom remote access tools and publicly available remote access and post-compromise to compromise target networks.

In the recent campaign, the malware is included in RAR archive files. Once opened the archive, it will displays a Windows shortcut (LNK) file that masquerades as a document. Upon clicking the Windows shortcut file, the malware will be executed. 

The archive also includes a hidden folder that contains the malware, embedded eight levels deep in a sequence of hidden folders named with special characters. The attackers used this trick in an attempt of bypassing mail-scanning products.

The shortcut executes a renamed legitimate file contained in the eighth hidden folder. The attackers also drop a malicious DLL and an encrypted payload file, noticing that the legitimate binary files are vulnerable to DLL search order hijacking.

“When executed, they import the malicious DLL that loads, decrypts, and executes the payload file. In each sample analyzed by CTU researchers, the shortcut file metadata indicates the file was created on a Windows system either with hostname “desktop-n2v1smh” or “desktop-cb248vr”.” continues the report.

“Once running, the payload drops a decoy document to the logged-on user’s %Temp% directory and copies the three files to a ProgramData subdirectory using the pattern “<Application><3 characters>” (e.g., Operavng)”

The researchers recommend organizations in geographic regions of interest to China to monitor the activity of this APT group, they also shared indicators of compromise for this campaign.

“BRONZE PRESIDENT has demonstrated an ability to pivot quickly for new intelligence collection opportunities. Organizations in geographic regions of interest to China should closely monitor this group’s activities, especially organizations associated with or operating as government agencies.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BRONZE PRESIDENT)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

3 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

10 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

21 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

This website uses cookies.