Chinese APT Bronze President Mounts Spy Campaign on Russian Military

The war in Ukraine appears to have triggered a change in mission for the APT known as Bronze President (aka Mustang Panda).

China’s tacit support for Russia’s war in Ukraine apparently doesn’t preclude likely China-backed cyber actors from mounting espionage campaigns on the Russian military.

Researchers from SecureWorks Counter Threat Unit this week said they recently discovered malware that suggests the advanced persistent threat (APT) known as Bronze President (aka Mustang Panda) is now targeting Russian military personnel and officials. The security vendor described the effort as an example of how political changes can push countries into new territory for surreptitious information-gathering efforts, even against friends and allies.

Cyberespionage Campaign Delivers PlugX
According to the report, the heavily obfuscated malicious executable being used in the campaign is designed to appear as a Russian-language PDF document pertaining to Russia’s 56th Blagoveshchenskiy Red Banner Border Guard Detachment (which is deployed near Russia’s border with China). The file is designed so that default Windows settings do not display its .exe extension, Secureworks said.

Secureworks also explained that the executable file displays a decoy document written in English, though the filename itself is in Russian. The document appears to be legitimate and contains data pertaining to asylum applications and migratory pressure in the three countries that border Belarus — Poland, Lithuania, and Latvia. The content also includes commentary on European Union sanctions against Belarus for its role in the war in Ukraine.

When executed, the file downloads three additional files from a staging server. One of them is a legitimate signed file from Global Graphics Software, a UK-based firm. The file uses DLL search-order hijacking to import an updated version of PlugX, a remote-access Trojan (RAT) that has been previously associated with the Bronze President.

“DLL search-order hijacking has been around for years,” says Mike McLellan, director of intelligence at Secureworks. “It’s a well-known technique by threat actors in which they maliciously use a legitimate executable file, often from a well-known vendor, together with a malicious library file (DLL), to load and execute an encrypted malware payload.”

Threat actors use the technique because it ensures that the malicious payload file on a compromised system is never sitting around on disk in a manner that scanners and anti-malware can detect.

“This technique has been a staple of several China-nexus threat groups for many years,” McLellan says.

As part of the attack chain, the threat actors have also included a ping command that adds a significant delay before executing the legitimate signed file, Secureworks said — a generic evasion technique to introduce a time lag while files are downloaded to the victim. Read more:

You can also read this: Chinese Hacker Groups Continue to Target Indian Power Grid Assets

Leave a Reply

Your email address will not be published. Required fields are marked *