A China-linked state-sponsored hacking group named Bronze Starlight was observed deploying various ransomware families to hide the true intent of its attacks. In attacks observed as early as mid-2021, the threat group started using the HUI Loader to drop ransomware such as AtomSilo, LockFile, Night Sky, Pandora, and Rook.
The short lifespan of each ransomware family, victimology, and the access to tools employed by Chinese nation-state threat actors (including known vulnerabilities and the HUI Loader) led researchers believe that Bronze Starlight is likely interested in cyberespionage and intellectual property (IP) theft rather than financial gain. Since 2015, HUI Loader has been used for the delivery of remote access trojans (RATs) and other types of malware, including Cobalt Strike, QuasarRAT, PlugX, and SodaMaster. Loaders are small, malicious packages designed to stay undetected on a compromised machine. While often lacking much functionality as independent malware, they have one crucial task: to load and execute additional malicious payloads.
HUI Loader is a custom DLL loader that can be deployed by hijacked legitimate software programs susceptible to DLL search order hijacking. Once executed, the loader will then deploy and decrypt a file containing the main malware payload. Previously, HUI Loader was used in campaigns by groups including APT10/Bronze Riverside connected to the Chinese Ministry of State Security (MSS) and Blue Termite. The groups have deployed remote access trojans (RATs) including SodaMaster, PlugX, and QuasarRAT in earlier campaigns.
Cyber threat investigators analyzed the above five ransomware families which were linked to HUI Loader samples that used to deploy Cobalt Strike Beacon and discovered that they were built from two distinct codebases: an early one for AtomSilo and LockFile, and a more recent one most likely based on leaked Babuk ransomware source code for Night Sky, Pandora, and Rook. “The use of HUI Loader to load Cobalt Strike Beacon, the Cobalt Strike Beacon configuration information, the C2 infrastructure, and the code overlap suggest that the same threat group is associated with these five ransomware families,” the researchers note.
The cybersecurity firm also discovered that the same network had been compromised by both Bronze Starlight and Bronze University, which deployed the ShadowPad malware. The intrusions started in November 2021 and overlapped for several weeks. The simultaneous and continued operations by another Chinese threat group on the same network suggests that the two groups may have de-conflicted their post-intrusion activity. This scenario assumes collaboration and knowledge sharing between the groups. It could indicate that Bronze Starlight participates in government-sponsored intelligence-gathering efforts rather than being a purely financially motivated threat group.
The victimology and operational measure of the five ransomware families do not align with the operations typically associated with financially-motivated threat actors. Of a total of 21 known victims associated with AtomSilo, Night Sky, Pandora, and Rook, roughly 15 are of interest to Chinese state-sponsored cyberespionage groups. These include pharmaceutical companies, electronic component designers and manufacturers, a media company, and the aerospace and defense unit of an Indian conglomerate.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings