Study of the Bronze Union group-also known as APT27 or Emissary Panda-underscores how most advanced persistent threat (APT) groups now use administrative tools or slight variants of well-known tools.
State-sponsored attackers continued to be extremely active in 2018 with major groups from at least a dozen countries involved in operations targeting government, business, and civilian targets throughout the year, according to analyses by two security firms.
While advanced persistent threat (APT) groups have, in the past, often used custom frameworks to help compromise systems and exfiltrate data, current groups are just as likely to use open-source malware and legitimate administration tools as a way to avoid detection and attribution. In a report released this week, managed security service provider Secureworks highlighted one group—Bronze Union (aka APT27 and Emissary Panda)—as a good example of these tactics becoming more common among APT groups.
The group typically uses two open-source malware frameworks: ZxShell, a remote access trojan (RAT) released to the public in 2007, and Gh0st RAT, another popular framework used by criminal groups as well as espionage groups. The quality of readily-available malware is high enough that nation-state groups have no problem incorporating it into their toolset, says Matt Webster, senior security researcher with Secureworks.
“There are other circumstances where the group may pull out the more advanced tools, but there are other situations where they are making decisions based on the environment they are in, so they often use tools that are less sophisticated,” he says.
Bronze Union, which is likely based in China, has focused on attacking defense-technology firms and their suppliers, as well as civilian groups that have a role in politics, Secureworks stated in its analysis.
“The past couple of years have really solidified that they have two broad camps of intent,” Webster says. “One side seems …
Author: Robert Lemos