A group of state-backed cyber attackers have adopted a new download to spread five different types of ransomware in a bid to hide their true spying activities.
Cybersecurity researchers from Secureworks published Thursday new search HUI Loader, a malicious tool that has been widely used by criminals since 2015.
Loaders are malicious little packages designed to remain undetected on a compromised device. Although it often lacks as much functionality as standalone malware, it does have one crucial task: uploading and executing additional malware payloads.
HUI Loader A custom DLL loader that can be deployed by legitimate hacked programs and vulnerable to DLL search command hijacking. Once executed, the loader will publish and decrypt a file containing the main malware payload.
In the past, HUI Loader was used in group campaigns including APT10/Bronze Riverside – Associated with China’s Ministry of State Security (MSS) – and blue termites. Groups have deployed remote access trojans (RATs) including SodaMaster, PlugX and QuasarRAT in previous campaigns.
Now, it appears that the download tool has been adapted to spread ransomware.
According to the Anti-Threat Unit (CTU) research team at Secureworks, two sets of HUI Loader-related activities have been linked to Chinese-speaking threat actors.
The first group is suspected to be the work of the Riverside Bronze. This hacking group focuses on stealing valuable intellectual property from Japanese organizations and uses the download tool to implement SodaMaster RAT.
The second, however, belongs to Bronze Starlight. SecureWorks believes that the activities of threat actors are also designed for IP theft and cyber espionage.
The goals vary depending on what information the cybercriminals are trying to obtain. Among the victims are Brazilian pharmaceutical companies, a US media outlet, Japanese manufacturers, and the air defense and aviation division of a major Indian organization.
This group is the more interesting of the two as it spreads five different types of ransomware after exploiting them: LockFile, AtomSilo, Rook, Night Sky and Pandora. The upload tool is used to spread Cobalt Strike signals during campaigns, which creates a remote connection, then the ransom package is executed.
CTU says threat actors developed their versions of the ransomware from two distinct code bases: one for LockFile and AtomSilo, and the other for Rook, Night Sky, and Pandora.
“Based on the order in which these ransomware families appeared starting in mid-2021, it is likely that threatened actors first developed LockFile and AtomSilo and then developed Rook, Night Sky, and Pandora,” the team says.
The upload tool has also been recently updated. In March, cybersecurity researchers found a new version of the HUI Loader that uses RC4 ciphers to decrypt the payload. The loader now also uses an improved obfuscation code to try to disable Windows Event Tracing for Windows (ETW), an Anti-Malware Scan Interface (AMSI) scan, and tamper with Windows API calls.
“While Chinese government-sponsored groups have historically not used ransomware, there is precedent in other countries,” says SecureWorks. “Conversely, Chinese government-sponsored groups that use ransomware as a distraction would likely make activity similar to financially motivated ransomware spreads. However, the combination of victim science and overlap with the infrastructure and tools associated with the threat group’s activity that Government-sponsored reports that Bronze Starlight spread ransomware to hide cyber-espionage activity.”
Previous and related coverage
Do you have a tip? Communicate securely via WhatsApp | Tag +447713 025499, or higher in Keybase: charlie0