APT27: An In-depth Analysis of a Decade-Old Active Chinese Threat Group
Research and Analysis • Mar 29, 2022
Origin: 2009
Aliases: IronPanda, Lucky Mouse, LuckyMouse, Iron Panda, APT 27, Emissary Panda, Iron Tiger, ZipToken, Group 35, TEMP.Hippo, TG 3390, Bronze Union, Threat Group 3390
Targeted Sectors: Government, Information Technology, Research, Business Services, High Tech, Energy, Aerospace, Travel, Automotive, Electronics
Attack Vectors: Watering Holes, Spear Phishing, Remote Code Execution, Living off the Land Attack, Rootkit Attack, Supply Chain Attack, Unauthorized Access
Targeted Regions: North America, South-East Asia, Western Asia, Eastern Asia, South America, Middle East
Motive: Cyberespionage, Data Theft, Ransom
Malware Used: Sogu, Ghost, ASPXSpy, ZxShell RAT, HyperBro, PlugX RAT, Windows Credential Editor, FoundCore
Tools Used: China Chopper, gsecdump, HTTPBrowser, Impacket, ipconfig, Mimikatz, NBTscan, Net, OwaAuth, pwdump, ZxShell
Introduction
APT27 is a Chinese threat group known for extensively using watering hole and spear-phishing attacks to target victims. The threat group, which has been active for over a decade, uses multiple malware and exploits numerous vulnerabilities to meet its espionage goals. It keeps altering its attack strategies and ploys to avoid detection while spying on victims. Lately, the group seems to have started working on a new model of espionage, along with financially motivated attacks, by including ransomware in its attack campaigns.
Hopping Attack Methods
APT27 is capable of deploying a variety of tools and tactics for its cyberespionage missions. Between 2015 and 2017, the threat group compromised victims' networks using watering hole attacks via nearly 100 compromised legitimate websites.
Despite public disclosures of its activities in 2017, the gang’s cyberespionage operations continued with evolution in its methods. In February 2019, the group attempted living-off-the-land attacks to steal information on cutting-edge weapons technologies and spy on dissidents and other civilian groups.
In March 2020, the APT group abused the COVID-19 pandemic fear to lure people by sending thematic email campaigns or thematic IM with phishing/malware links. In April 2020, it had carried out cross-platform attacks on back-end servers to steal business data.
Malware Used and Vulnerabilities Exploited
In 2011, a honeypot computer discovered the exploitation of vulnerabilities in Microsoft products, in which APT27 dropped Gh0st RAT. In 2013, the group was discovered using various PlugX malware strains. The same year, the group deployed a web shell, known as China Chopper, during attacks on SharePoint Servers belonging to the Middle East Government. In June 2016, a malware variant of HttpBrowser was discovered, which researchers linked to the APT27 group. It targeted a consumer drone company in Europe.
In February 2018, the group had launched an attack campaign named PZChao, using two versions of the Mimikatz password-scraping utility to collect passwords and upload them to the C2 server. The threat actor tried its hand at cryptomining attacks using ZombieBoy malware, which abused multiple vulnerabilities to compromise targeted networks, such as CVE-2017-9073, CVE-2017-0143, and CVE-2017-0146. In September 2018, multiple infections from a previously unknown trojan were discovered in an attack that used a malicious NDISProxy driver with a certificate of a Chinese IT company.
In January 2020, APT27 used an updated version of ZxShell RAT to target the latest version of Windows 10.
In January 2021, the attackers deployed Clambling and PlugX using an older Google Updater executable that was exposed to DLL side-loading. Additionally, they abused CVE-2017-0213 to escalate privileges. It was found utilizing other tools that include ASPXSpy webshell, post-exploitation tool bitsadmin, HyperBro backdoor, BitLocker, MimiKatz, and a cryptominer. In March 2021, the group exploited several vulnerabilities, including CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, and CVE-2021-26855 (ProxyLogon) vulnerabilities affecting Microsoft Exchange servers. In April 2021, the group updated its toolkit with an updated SysUpdate malware variant. In September, researchers alleged that APT27 was behind an attack campaign exploiting the vulnerability CVE-2021-40539 in Zoho’s ManageEngine product, ADSelfService Plus. However, a similar attack that abused a newly identified vulnerability (CVE-2021-44077) in Zoho's ManageEngine ServiceDesk Plus was dedicated to the Chinese group.
In January 2022, security experts discovered APT27 relying again on HyperBro RAT to backdoor targets in Germany. Meanwhile, fileless and socketless backdoor malware—dubbed SockDetour—was used against U.S. defense contractors in February, which researchers suspected to be linked to APT27 group.
Attack History
APT27 first shot into the limelight in September 2015 when it stole trillions of bytes of confidential data from the U.S. government and its military defense contractors, intelligence agencies, and FBI-based partners. The next month, a variant of Korplug RAT (aka PlugX) was found disguised as an antivirus to target Vietnamese institutions and doxxing 400,000 members of Vietnam Airlines. The group carried out an espionage campaign in June ??2018 when it discreetly planted malware into Mongolian government websites. Researchers disclosed Syrian users as the group’s next target in the following month. It used Windows and Android spyware to exfiltrate sensitive information from their devices.
The group forayed into financially motivated cybercrime scenes from 2021 onward and started using ransomware in the attacks. It reportedly infected the servers of several major gaming companies globally. They launched attacks on the Vietnamese government and military organizations in an advanced campaign, researchers revealed in April 2021. The next month, the threat group installed web shells on Sharepoint servers to compromise government organizations. Later in December, a chat software Able Desktop, used by 430 government agencies in Mongolia, was abused to spread the HyperBro backdoor, Korplug RAT, and Tmanger. During its attack on the Zoho platform, APT27 impacted at least nine organizations across multiple critical sectors worldwide, including defense, energy, healthcare, technology.
In January 2022, German domestic intelligence services were warned against ongoing attacks coordinated by APT27. The group is also suspected to be a part of a larger TiltedTemple campaign, wherein the networks of at least one U.S. defense contractor were compromised.
**Targeted Entities **
The group has targeted multiple regions around different parts of the world, including America, Asia, the Middle East, and Europe. As for the targeted sectors, it has always appeared interested in government, information technology, research, business services, high tech, energy, aerospace, travel, automotive, and electronics. Some of the notable targeted entities include Amper SA, Microsoft, Able Desktop, Mongolian government agencies, Turkish agencies, and German commercial organizations.
**Mitigation **
The use of email as an attack vector by APT27 is very common and looking at the seriousness of this threat, organizations are suggested to train their employees regularly. As for protection against web shells, employ regular updates to applications and operating systems to fix any known vulnerabilities. To limit misuse of unauthorized access, implement a least-privileges policy on the webserver to reduce the ability of attackers to escalate privileges or pivot laterally. As APT27 also conducts ransomware attacks, it is recommended to keep a frequent backup of sensitive information and apply robust anti-ransomware solutions for better protection. Moreover, the best way to counter that keeps on continuously evolving its attack vectors is by operationalizing threat intelligence across security workflows using advanced threat intelligence platforms.
The Conclusion
APT27 seems to be active at present and has already shown advanced capabilities in targeting victims using different malware and methods. Further, the group takes advantage of every possible vector to get access inside targeted organizations. It keeps on continuously updating its tools, tactics, and procedures (TTPs) to stay ahead in the game. Researchers suspect that the group will continue its attacks and come up with more enhanced tactics in the near future. Thus, organizations should stay alert and proactively track this threat group to ward off any forthcoming damage to their business.
Indicators of Compromise (IOCs)
Campaign Against ServiceDesk Plus
Filenames
msiexec[.]exe
sd11301[.]pdb
tomcat-postgres[.]jar
SHA256
Ecd8c9967b0127a12d6db61964a82970ee5d38f82618d5db4d8eddbb3b5726b7
67ee552d7c1d46885b91628c603f24b66a9755858e098748f7e7862a71baa015
FilePath
D:\ManageEngine\ServiceDesk\bin\msiexec[.]exe
C:\Users\pwn\documents\visual studio 2015\Projects\payloaddll\Release\sd11301[.]pdb
The cyberattacks on Exchange Servers
Domains
yolkish[.]com rawfuns[.]com
www[.]averyspace[.]net
www[.]komdsecko[.]net
77[.]83[.]159[.]15
lab[.]symantecsafe[.]org
mm[.]portomnail[.]com
back[.]rooter[.]tk
161[.]129[.]64[.]124
ns[.]rtechs[.]org
Soft[.]mssysinfo[.]xyz
P[.]estonine[.]com
SHA1
AB5AAA34200A3DD2276A20102AB9D7596FDB9A83
30DD3076EC9ABB13C15053234C436406B88FB2B9 EB8D39CE08B32A07B7D847F6C29F4471CD8264F2 4F0EA31A363CFE0D2BBB4A0B4C5D558A87D8683E 2075D8E39B7D389F92FD97D97C41939F64822361 02886F9DAA13F7D9855855048C54F1D6B1231B0A 123CF9013FA73C4E1F8F68905630C8B5B481FCE7 B873C80562A0D4C3D0F8507B7B8EC82C4DF9FB07 59C507BCBEFCA2E894471EFBCD40B5AAD5BC4AC8 3D5D32A62F770608B6567EC5D18424C24C3F5798 AF421B1F5A08499E130D24F448F6D79F7C76AF2B 1DE8CBBF399CBC668B6DD6927CFEE06A7281CDA4 B8D7B850DC185160A24A3EE43606A9EF41D60E80 33C7C049967F21DA0F1431A2D134F4F1DE9EC27E A0B86104E2D00B3E52BDA5808CCEED9842CE2CEA 281FA52B967B08DBC1B51BAFBFBF7A258FF12E54 46F44B1760FF1DBAB6AAD44DEB1D68BEE0E714EA 195FC90AEE3917C94730888986E34A195C12EA78 29D8DEDCF19A8691B4A3839B805730DDA9D0B87C 20546C5A38191D1080B4EE8ADF1E54876BEDFB9E 84F4AEAB426CE01334FD2DA3A11D981F6D9DCABB 9AFA2AFB838CAF2748D09D013D8004809D48D3E4 3ED18FBE06D6EF2C8332DB70A3221A00F7251D55 AA9BA493CB9E9FA6F9599C513EDBCBEE84ECECD6
DLL
siiswmi[.]dll
mscoree[.]dll
IP Address
34[.]90[.]207[.]23
86[.]105[.]18[.]116
89[.]34[.]111[.]11
172[.]105[.]18[.]72
194[.]68[.]44[.]19
The shift to ransomware attacks
File name
license[.]rtf
English[.]rtf
goopdate[.]dll
GoogleUpdate[.]exe
debug[.]exe
**MD5 **
e1b44a75947137f4143308d566889837
36b33c0cf94dacf7cee5b9a8143098d1
c4164efa57204ad32aec2b0f1a12bb3a
aa4f7e8e45915a9f55a8b61604758ba3
878fa03b792d2925d07f4dac4aa34a47
Domains
The attacks on Mongolia
URLs
https://developer[.]firefoxapi[.]com/ajax
https://139[.]180[.]208[.]225/ajax
IP
45[.]77[.]173[.]124
45[.]77[.]55[.]145
139[.]180[.]208[.]225
SHA256
ED6CECFDAAEB7F41A824757862640C874EF3F7AE 5D066113534A9E31F49BEFDA560CF8F8890496D0 0550AAE6E3CEABCEF2A3F926339E68817112059A 8FFF5C6EB4DAEE2052B3578B73789EB15711FEEE 2A630E25D0C1006B6DBD7277F8E52A3574BEFFEC 23A227DD9B77913D15735A25EFB0882420B1DE81 B51835A5D8DA77A49E3266494A8AE96764C4C152 0B0CF4ADA30797B0488857F9A3B1429F44335FB6
Filename
data[.]dat
IntgStat[.]exe
Pcalocalresloader[.]dll
c:\users\waston\desktop\20190403_tmanger\20191118 tm_new
1[.]0\release\mloaddll[.]pdb
thinprobe[.]exe
Intgstat[.]exe
Thinprobe[.]dll
pcalocalresloader[.]dll
pcalocalresloader[.]dll
data1[.]exe
IntgStat[.]exe
AbleTimeAccess_Update[.]exe
Domains
developer.firefoxapi[.]com