Pierluigi Paganini
August 18, 2023
SentinelOne observed China-linked APT group Bronze Starlight (aka APT10, Emperor Dragonfly or Storm-0401) targeting the gambling sector within Southeast Asia.
The malware and infrastructure employed in the campaign are linked to the ones observed in Operation ChattyGoblin attributed by the security firm ESET to China-linked threat actors.
SentinelOne reported that the threat actors used DLL hijacking of executables of Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables to deploy Cobalt Strike beacons.
Bronze Starlight is a nation-state group that was observed using ransomware as means for distraction or misattribution.
The attackers used modified installers for chat applications to download a .NET malware loaders. Then the loaders retrieve a second-stage payload stored in password-protected ZIP archive from Alibaba buckets.
“The zip archives downloaded by agentupdate_plugins.exe and AdventureQuest.exe contain sideloading capabilities. Each of the archives we were able to retrieve consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets sideloaded by the executable when started, and an encrypted data file named agent.data.” reads the analysis published by SentinelOne.
“The [HUI] loader is executed through sideloading by legitimate executables vulnerable to DLL hijacking and stages a payload stored in an encrypted file.”
The researchersnoticed that agentupdate_plugins.exe and AdventureQuest.exe implement geofencing based on the ifconfig.co IP-based geolocation service. The threat actors attempt to avoid targeting machines located in the United States, Germany, France, Russia, India, Canada, or the United Kingdom. This circumstance suggests that the cyberspies are not interested in gather intelligence on these countries, however due to errors in implementation, the geofencing doesn’t work correctly.
The researchers observed that the loader “AdventureQuest.exe” is signed using a certificate issued to a Singapore-based VPN provider called Ivacy VPN. The attackers have likely stolen the PMG PTE LTD singing key. Digitcert has revoked the code signing certificate in June after a public discussion on the issue.
“China-nexus threat actors have consistently shared malware, infrastructure, and operational tactics in the past, and continue to do so,” concludes the report that also includes Indicators of compromise (IoCs) “illustrate the intricate nature of the Chinese threat landscape.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Bronze Starlight)
