Two Chinese hacking gangs are using ransomware as a ruse to conceal their illicit operations as they engage in cyber espionage and steal intellectual property from Western and Japanese businesses.
The use of ransomware in espionage operations, according to threat experts at Secureworks, is done to hide their footprints, make attribution more difficult, and produce a potent distraction for defenders.
Finally, unlike threat organizations supported by the Chinese government, the exfiltration of vital information is disguised as financially motivated attacks.
Ransomware behaviour that seems odd
The two hacker activity groups that Secureworks has identified are “Bronze Riverside” (APT41) and “Bronze Starlight” (APT10). Both of these clusters use the HUI Loader to spread remote access trojans like PlugX, Cobalt Strike, and QuasarRAT.
In order to spread ransomware variants like LockFile, AtomSilo, Rook, Night Sky, and Pandora, “Bronze Starlight” began using Cobalt Strike in March 2022.
The hackers also employed a new version of HUI Loader in these attacks, which has the ability to hook Windows API calls and deactivate the functionality of Event Tracing for Windows (ETW) and Antimalware Scan Interface (AMSI).
Using AtomSilo, Night Sky, and Pandora in three different attacks, the setup of Cobalt Strike beacons revealed a shared C2 address. Additionally, this year’s HUI Loader sample uploads to Virus Total came from the same source.
In contrast to commercially motivated ransomware operations, which focus on a small number of victims over a short period of time before abandoning the project entirely, LockFile, AtomSilo, Rook, Night Sky, and Pandora’s activity and victimology are unusual.
Additionally, Secureworks notes that there are code parallels between Pandora and the most recent release of HUI Loader, suggesting that this shaky connection may be indicative of a single organization.
While Night Sky, Pandora, and Rook were all derived from Babuk source code and also share a great deal of similarities in their coding, LockFile and AtomSilo also seem to be highly similar.
These five ransomware operations left no trace in the world of cybercrime and never actually developed into a serious menace. Additionally, they were all left behind a little too soon.
However, “Bronze Starlight” may be developing transient ransomware variants only to disguise its cyber-espionage activities as ransomware assaults, lessening the likelihood of dealing with the effects of precise attribution.
Nothing can be said with certainty because all of the ransomware strains presented are based on publicly accessible or leaked code and Chinese threat groups are known for sharing backdoors and infrastructure.
However, Securework’s findings are intriguing and provide another another justification for defenders to implement strong ransomware detection and protection solutions and conduct a thorough post-cleanup inspection of all systems.
It is unknown whether these ransomware families were created as ruses to conceal other malicious activity, but if so, it wouldn’t be the first time ransomware has this function.
In order to divert employees while trying to steal money using the SWIFT money transferring system, threat actors in 2018 installed disk-wiping malware on hundreds of machines at a Chilean bank.
More recently, a day before Russia invaded Ukraine, false ransomware called HermeticWiper was installed on Ukrainian networks.
