Active cluster, attributed to an attack group named Bronze starlight by Secureworks, involved in deploying post-intrusion ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0.
Ransomware can distract incident responders from determining the true intentions of threat actors and reduce activity attribution, the researchers said in a new report. malicious to a government-sponsored China threat group,” the researchers said in a new report. “In each case, the ransomware targeted a small number of victims for a relatively short period of time before it stopped working, seemingly permanently.”
Bronze Starlight, in operation since mid-2021, is also tracked by Microsoft under the emerging threat cluster moniker DEV-0401, with the tech giants emphasizing their involvement in all phases of the cycle. ransomware attack from initial access to payload deployment.
Unlike other RaaS groups that buy access from initial access brokers (IABs) to the network, agent-driven attacks are characterized by the use of unpatched vulnerabilities. affects Exchange Server, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence (including newly disclosed vulnerability), and Apache Log4j.
Since August 2021, the team is said to have performed multiple cycles to 6 different ransomware strains such as LockFile (August), Atom Silo (October), Rook (November), Night Sky (December), Pandora (February 2022) and most recently LockBit 2.0 (April).
Furthermore, similarities have been discovered between LockFile and Atom Silo as well as between Rook, Night Sky and Pandora – the latter three stemming from the Babuk ransomware, whose source code was leaked in September 2021 – indicating the work of a common actor.
“Because DEV-0401 maintains and frequently rebrands their own ransomware payloads, they can appear as different groups in payload-oriented reporting and evade anti-virus detection and actions. return them,” Microsoft noted last month.
When it comes to gaining ground in the network, Bronze Starlight is known to rely on techniques like using Cobalt Strike and Windows Management Instrumentation (WMI) to move sideways, although starting this month the team has begun replacing Cobalt Strike with the Sliver frame in their attacks. .
Other observed transactions related to using HUI Loader to launch payloads encode at next stages like PlugX and Cobalt Strike Beacons, the latter are used to distribute ransomware, but not before obtaining privileged Domain Administrator credentials.
“Using the HUI Loader to load the Cobalt Strike Beacon, Cobalt Strike Beacon configuration information, C2 infrastructure, and duplicated code suggest that the same threat group is associated with five related threats,” the researchers explain. this ransomware family”.
It should be pointed out that both HUI Loader and PlugX, along with ShadowPad, are malware historically used by rival Chinese nationalist collectives, suggesting Bronze Starlight’s potential for espionage rather than benefits. immediate monetary benefits.
On top of that, victim patterns spanning different strains of ransomware suggest that the majority of targets are likely to be targeted by Chinese government-sponsored groups focused on long-term intelligence gathering.
The main victims include pharmaceutical companies in Brazil and the US, a US-based media organization with offices in China and Hong Kong, designers and manufacturers of electronic components in Lithuania and Japan, a law firm in the US, and an aviation and defense division of an Indian corporation.
To that end, ransomware operations, besides providing a means to filter data as part of a “name and shame” dual blackmail scheme, offer a dual advantage in that it allowing threat actors to destroy forensic evidence of their malicious activities and act as a distraction from data theft.
“It makes sense for Bronze Starlight to deploy ransomware as a smokescreen rather than for financial gain, with the underlying motive of stealing intellectual property or performing espionage,” the researchers said.