loader gif

APT group Bronze Union comes up with upated RAT malware

cyber, detection, threat, attack, problem, virus, laptop, scanner, error, network, spyware, hack, red, aggression, symbol, internet, malware, infection, black, technology, theft, hacking, illustration, crime, pc, web, infected, trojan, thief, danger, message, ransomware, criminal, hacker, worm
  • Remote Access Trojans (RAT) by Bronze Union such as ZxShell, Gh0st, and SysUpdate were reportedly found using updated tactics.
  • The APT group known for its notorious campaign back in 2018 is believed to have compromised political and military intel.

Bronze Union, a Chinese-based APT group has updated its RAT tools to further its malicious operations further. In their analysis, researchers from SecureWorks found that the APT’s tools were possessing new features. The threat group extensively relied on watering hole attacks with these tools.

Over the years, Bronze Union came up with a variety of tools to perpetuate its attacks. It has come to notice that the group has now tried to steal data pertaining to weapons technology.

Worth Noting

  • Bronze Union, also known as Emissary Panda, LuckyMouse and APT27, is active since 2013.
  • SecureWorks observed that the group targets political, technology, manufacturing, and humanitarian organizations.
  • ZxShell, one of its RAT developed in 2006, was found to have an updated version in an analysis.
  • Similarly, other tools such as Gh0st and SysUpdate RATs had advanced remote access capabilities such as file management, shell command execution, and more.
  • SysUpdate is a multi-stage malware developed by the threat group deployed for large scale attacks.

The big picture

“We anticipate that the group will continue to evolve their tools and capabilities to ensure their effectiveness, This constant evolution means that for an organization facing this threat it’s important to have strategies in place that focus on threat actor behaviors rather than known bad tools and infrastructure which will inevitably change over time,” the researchers told ThreatPost.

Therefore, IT organizations and users alike should be wary of these tools and keep an eye on any suspicious activity involving sensitive information.

loader gif