Show vulnerabilities with patch / with exploit
10 January 2020

Chinese Bronze President APT targets government agencies and NGOs in South and East Asia


Chinese Bronze President APT targets government agencies and NGOs in South and East Asia

An extensive cyber espionage campaign has been uncovered that is aimed at NGOs (non-governmental organizations) and law enforcement and government agencies located in South and East Asia. In the course of the campaign the threat actor leveraged custom code, as well as publicly available exploits and malware to compromise target networks, researchers at Secureworks’ Counter Threat Unit warn.

The bad actor, referred to as Bronze President, has been active since at least 2014 and is thought to be a China-based cyberespionage group that uses both proprietary and publicly available tools to target NGO networks, monitor their activities, discredit their work, or to steal their intellectual property. According to researchers, the group uses custom remote access tools alongside publicly available remote access and post-compromise toolsets.

Once a target network is compromised, the Bronze President group elevates its privileges, installs remote access tools on most systems in the network and runs custom batch scripts to collect specific file types (files with .pptx, .xlsx, .pdf extensions), or all files from a targeted NGO’s systems, as well as credentials from high-privilege network accounts and sensitive accounts, including social media and webmail.

The Secureworks’ team said that the latest attacks mainly targeted entities in major Asian countries such as Mongolia, India and China with the focus on the national security, humanitarian, and law enforcement organizations.

“It is likely that BRONZE PRESIDENT is sponsored or at least tolerated by the PRC government. The threat group's systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups,” the researchers said.

In addition to custom batch scripts, the group uses a variety of remote access tools, including ones that were not previously observed by researchers. Its hacking arsenal also includes widely available or modified open-source tools likely to thwart an attribution or to minimize the need for tool development resources. Bronze President was observed using tools such as the Cobalt Strike penetration testing tool, the PlugX remote access trojan (RAT), ORat loader, the RCSession basic RAT, Nbtscan command-line tool, Nmap network scanning tool, and Wmiexec.

Post-compromise tools observed on the compromised computers include a Powerview.ps1 (PowerShell-based module for network reconnaissance), PVE Find AD User (command-line tool to indificate login locations of Active Directory (AD) users), AdFind (command-line tool to conduct AD queries), NetSess (enumerates NetBIOS sessions), Netview (enumerates networks), and TeamViewer (remote control and desktop-sharing tool).

“BRONZE PRESIDENT has demonstrated intent to steal data from organizations using tools such as Cobalt Strike, PlugX, ORat, and RCSession. The concurrent use of so many tools during a single intrusion suggests that the group could include threat actors with distinct tactics, roles, and tool preferences. It is likely that BRONZE PRESIDENT has additional unobserved operational tools and capabilities,” the team concluded.

Additional information on the observed cyberespionage campaign, as well as IOCs, is available in a Secureworks’ Counter Threat Unit write-up here.

 

 

Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020