Positive Technologies has published new details about a series of attacks carried out by suspected Chinese hackers between January till July 2021 that targeted various countries, including Russia, Belarus, China, and the U.S. The attacks were reportedly carried out by a threat actor with ties to China.
The intrusions were traced to an advanced persistent threat known as APT31. The group is also known under the names Zirconium (Microsoft), Judgement Panda (CrowdStrike), and Bronze Vinewood (Secureworks).
The group is a China-based cyberespionage operation that’s focused on information theft for the Chinese government. According to cybersecurity company FireEye, the group is a “China-nexus cyberespionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages.”
In a write-up published Tuesday, security firm Positive Technologies has revealed the actor is using a new type of malware dropper that retrieves next-stage encrypted payloads from a remote server and ultimately executes a backdoor.
Researchers noted the malware’s ability to self-delete and cover up its traces:
“The code for processing the [self-delete] command is particularly intriguing: all the created files and registry keys are deleted using a bat-file,” Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov said.
Researchers also noted the malware’s similarity to DropboxAES RAT in use by the same threat group. Both malware strands used Dropbox for command-and-control communications, and both shared the same techniques and mechanisms.
The researchers concluded that the similarities between the present samples and those released in 2020 suggest that the hacker group is expanding to other countries, in particular to Russia:
“The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular.”
