China-linked APT Groups Picking on Ransomware Attacks

Recently, researchers from Profero and Security Joes released an investigation report on a set of financially-motivated ransomware incidents at multiple companies. The attacks occurred in 2020 and the hackers had managed to target at least five companies in the online gambling sector through a third-party service provider, which had been infected through another third-party provider.


Ransomware attacks attributed to Chinese APTs

The researchers were able to discover samples of malware linked to a campaign known as DRBControl, with links to two Chinese APT groups - APT27 and Winnti.
  • The researchers have been able to attribute these attacks to these APT groups on the basis of used exploits. While the use of HyperBro backdoor points towards the APT27 group, the use of the Clambling malware and post-exploitation tool BITSAdmin links these attacks to the Winnti group.
  • The Clambling and PlugX samples were loaded together in the system memory using an older Google Updater executable that was vulnerable to DLL side-loading.
  • In addition, the attackers had deployed MimiKatz, BitLocker, ASPXSpy webshell, and a cryptominer. The attackers exploited the Windows COM Elevation of Privilege Vulnerability (CVE-2017-0213) to escalate privileges on the machine.


Super active Chinese APT groups

  • In December, several Chinese APT groups, including Winnti, were found linked to supply chain attacks on hundreds of Mongolian government agencies, carried out via an app called Able Desktop, developed by a local company named Able Software.
  • ESET researchers suspected that different China-linked APTs, such as APT27, TA428, CactusPete, TICK, IceFog, KeyBoy, and Winnti are either collaborating, using the same tools, or are subgroups part of a larger group that controls their operations and targeting.


Conclusion

Chinese APT groups are known for stealing military, intelligence, and business information from compromised targets and frequently focusing on financially-driven campaigns. The APT groups have been shifting their focus to new dimensions such as the online gambling sector. The audacity of APT groups such as APT27 and Winnti signifies that governments should have a unified approach in the fight against such threats.