Imperial Market TorGrid Hidden Links



Chinese APT Group Linked to Ransomware Attacks

A well-known Chinese state-backed APT group is believed to have been responsible for multiple ransomware attacks against firms last year, according to new research. A report from Security Joes and Pro reveals how the vendors uncovered the links after investigating an incident in which ransomware encrypted “several core servers” at an unidentified victim organization.

They found samples of malware linked to the DRBControl campaign which targeted major gaming companies and is associated with two well-known Chinese-backed groups, APT27 (aka Emissary Panda) and Winnti. Specifically, they claimed to have detected an older version of the Clambling backdoor used in that campaign, an ASPXSpy webshell previously used by APT27, and the PlugX RAT which is often used in Chinese attacks.



Although Winnti is known for financially motivated attacks, APT27 is generally more focused on data theft. However, the latter has previously been linked to one ransomware attack, featuring the Polar variant.



“There are extremely strong links to APT27 in terms of code similarities and TTPs,” the report noted. “This incident occurred at a time when where COVID-19 was rampant across China with lockdowns being put into place, and therefore a switch to a financial focus would not be surprising.”



The attack itself does not seem to have been particularly sophisticated. The initial vector was a third-party service provider that itself had been infected by a third party, and the attackers used Windows own BitLocker encryption tool to lock down targeted servers.



ASPXSpy was deployed for lateral movement and PlugX and Clambling were loaded into memory using a Google Updater executable vulnerable to DLL side-loading. Popular open source tool Mimikatz was also used in the attack and a publicly available exploit for CVE-2017-0213 was used to escalate privileges.



Gaming firms are an increasingly popular target among financially motivated attackers, according to new research released yesterday by Kela. The threat intelligence firm claimed to have discovered one million compromised internal accounts from gaming companies on the dark web, and 500,000 breached credentials belonging to employees.

 

Read Comments & Discuss This Article on Dread

Share this article



  • The Deep Web
  • Cryptocurrencies
  • Darknet Markets
  • Cybersecurity & ...
  • Editor's Picks
A darkweb cocaine and heroin trafficker has
Sensitive information of over 100 million debit
Police have arrested a man who hired a gang of
An "immature" MDMA dealer who used his own name
Hackers break into databases, steal their
Personal data is being sold on the dark web for
Cybercriminals can use stolen information for
Ireland’s crime gangs have increased their use of
The CCB caught the programmer while they were
  • 1
  • 2
  • 3
 
Submarine   Hidden Links   Onion Scanner
 

 

Visit Our Friends

Subscribe to Our Newsletter

Enter your email to receive our monthly newsletter!
We use cookies to improve our website. By continuing to use this website, you are giving consent to cookies being used. More details…