A recent barrage of ransomware attacks against top videogame companies has been linked to the notorious APT27 group that has strong links to China. According to researchers at Profero and Security Joes, this suggests that the group is shifting from its traditional espionage methods to ransomware.
The companies noted the “strong links” to APT27 when they were brought in as part of the incident response efforts following ransomware activity that targeted several major gaming organisations around the world last year, as part of a supply-chain attack.
Not much detail of these incidents has been made publicly available, and the researchers told ThreatPost that they were unable to name the specific gaming companies, or reveal the timelines, but said that five companies were affected, two of which are “among the largest in the world”.
APT27, also known as LuckyMouse, Emissary Panda and Bronze Union, is believed to hail from China and has been around since 2013.
In the past, the group has leveraged publicly available tools to gain access to networks, and has aimed at gathering political and military intelligence, focusing on cyber espionage and data theft, as opposed to monetary gain.
Although APT27 was not associated with financial gain, and the shift to ransomware is unusual, the incident occurred while COVID-19 was rampant across China, and lockdowns coming into effect. As a result, the change to a financial motivation 'would not be astonishing', said the two companies.
A supply chain attack
According to the researchers, the initial infection vector for the attack was via a third-party service provider that had been previously infected through another third-party service provider.
Further scrutiny revealed malware samples linked to a campaign from the beginning of last year, discovered by Trend Micro, and dubbed DRBcontrol. At the time, Trend Micro researchers discovered that it had links to APT27. The calling card of the DRBControl backdoor attack was that it hit gambling companies and employed Dropbox for command-and-control communications.
Researchers from Profero and Security Joes discovered a “very similar sample” of DRBControl in this recent instance, although it didn’t have Dropbox capabilities. They also discovered that DRBControl, as well as a PlugX sample, was then loaded into memory using a Google Updater executable, which was vulnerable to DLL side-loading.
Side-loading is the technique of employing a malicious DLL to spoof a legitimate one, and then relying on legitimate Windows executables to execute the malicious code. Researchers said both samples used the signed Google Updater, and both DLLs were labeled goopdate.dll.
Once the bad actors gained access to the company systems via the third-party compromise, an ASPXSpy webshell was deployed, to assist in lateral movement.
Links to APT27
The researchers said the tactics, techniques and procedures used, drew “extremely strong links” to APT27, as well as code similarities found. For example, the modified version of the ASPXSpy webshell used in the campaign has been previously seen in APT27-attributed cyber attacks. In addition to the backdoor found, researchers also discovered a binary responsible for escalating privileges by exploiting CVE-2017-0213, a Microsoft Windows Server vulnerability that APT27 has exploited in the past.
“APT27 has been known to use this exploit to escalate privileges in the past; with one incident resulting in a crypto-miner being dropped to the system,” concluded researchers.
Share