BRONZE VINEWOOD Uses HanaLoader to Target Government Supply Chain

Threats & Defenses
The following analysis was compiled and published to Threat Intelligence clients in November 2018. The Secureworks® Counter Threat Unit™ (CTU) research team is publicly sharing insights about BRONZE VINEWOOD and its use of the HanaLoader malware and DropboxAES RAT, to increase visibility of the threat group’s activities.

In mid-2018, Secureworks® Counter Threat Unit™ (CTU) researchers identified targeted intrusion activity linked to BRONZE VINEWOOD (also known as APT31). BRONZE VINEWOODis a cyberespionage group of likely Chinese origin that targeted the U.S. legal sector in 2017 and government and defense supply chain networks in 2018. In 2018, BRONZE VINEWOOD demonstrated a range of capabilities to infect targeted systems, steal credentials, and move laterally in a compromised environment. The group used DLL search-order hijacking to run a malicious downloader tool that CTU™ researchers call HanaLoader.

In 2018 activity observed by CTU researchers, BRONZE VINEWOOD used signed legitimate executable files from multiple software producers (e.g., Oracle (unpack200.exe) and Norton (CcSEUPDT.exe)) to load malicious code. In one example, the threat actors used a legitimate Kaspersky executable (wmi32.exe, see Figure 1) to load a DLL file (MSVCR100.dll).

Figure 1. Legitimate wmi32.exe executable used to load MSVCR100.dll. (Source: Secureworks)

The exported functions from MSVCR100.dll pointed to the same address: the location of the functions used to decrypt and load the HanaLoader payload (see Figure 2).

Figure 2. Exports from MSVCR100.dll. (Source: Secureworks)

The HanaLoader payload was stored alongside the executable and malicious DLL in an encrypted zlib-compressed file called HefNcnDGGWgriiI (see Figure 3).

Figure 3. Three files used to run the HanaLoader payload. (Source: Secureworks)

Several strings in the HanaLoader payload suggest that the malware authors refer to the tool as HanaLoader (see Figure 4).

Figure 4. Strings identified in HanaLoader payload. (Source: Secureworks)

CTU researchers analyzed a 2017 version of HanaLoader, which was the likely payload in a BRONZE VINEWOOD campaign targeting U.S. legal organizations. Details included in the application manifest suggest that the authors may also refer to the tool as HanaGift (see Figure 5).

Figure 5. Application manifest for 2017 version of HanaLoader. (Source: Secureworks)

HanaLoader downloads and launches an additional payload from a remote resource over HTTPS. In the 2018 HanaLoader sample, the initial GET request contained the properties shown in Figure 6. The User-Agent string in this sample is historically associated with the HttpBrowser tool.

Figure 6. HanaLoader GET request. (Source: Secureworks)

The second-stage payload overwrites HanaLoader using process hollowing and continues to run in memory. BRONZE VINEWOOD has a suite of second-stage payloads that can be delivered through this technique, including a remote access trojan (RAT) that third-party researchers dubbed HanaRAT, Trochilus, and DropboxAES RAT.

After a second-stage RAT is deployed to a targeted system, the threat actors appear to use publicly available tools such as the Mimikatz credential-theft tool to escalate their privileges (see Figure 7).

Figure 7. Mimikatz arguments launched via legitimate signed Oracle executable. (Source: Secureworks)

BRONZE VINEWOOD leveraged native functionality such as net commands and scheduled tasks to move laterally within a compromised network (see Figure 8).

Figure 8. Net commands used by BRONZE VINEWOOD after deploying the RAT. (Source: Secureworks)

In examples observed by CTU researchers, BRONZE VINEWOOD demonstrated targeting intent toward individuals and systems involved in software development, suggesting a motive to steal from or interfere with software development processes and individuals who manage relationships with government organizations. CTU research suggests that organizations operating in government or defense supply chains are exposed to greater threat from targeted threat groups like BRONZE VINEWOOD. These organizations should consider the threat from these types of targeted attacks as part of their risk-management strategies and ensure that additional controls are applied to sensitive or high-risk datasets. Organizations should also implement monitoring strategies that detect known-good software executing from suspicious locations and detect behaviors associated with suspicious native tool use and privilege escalation activities (e.g., Mimikatz dumping LSASS process memory to extract credentials).

The threat indicators in Table 1 are associated with this activity. The domains may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context Domain name Hard-coded in HanaLoader sample
SHA256 hash Malicious DLL that launches HanaLoader
bc365affaf8b7e757f2117087234b0f8552b9fb5 SHA1 hash Malicious DLL that launches HanaLoader
1b2750795b31382307d91ede230a3579 MD5 hash Malicious DLL that launches HanaLoader
SHA256 hash BRONZE VINEWOOD encrypted loader DLL
HefNcnDGGWgriiI filename Encrypted zlib-compressed file containing HanaLoader
SHA256 hash Encrypted zlib-compressed file containing HanaLoader
74a5bfd32ca135424e6ef37c1fbb18f395e26b2c SHA1 hash Encrypted zlib-compressed file containing HanaLoader
7d05910c4a7091a8d5696306618980b7 MD5 hash Encrypted zlib-compressed file containing HanaLoader

Table 1. Indicators for this threat.

Products You May Like

Articles You May Like

5 common Ticketmaster scams: How fraudsters steal the show
Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool
Smishing Triad Targets India with Fraud Surge
Understanding IoT security risks and how to mitigate them | Cybersecurity podcast
‘Konfety’ Ad Fraud Uses 250+ Google Play Decoy Apps to Hide Malicious Twins

Leave a Reply

Your email address will not be published. Required fields are marked *