BRONZE VINEWOOD Uses HanaLoader to Target Government Supply Chain

Threats & Defenses
The following analysis was compiled and published to Threat Intelligence clients in November 2018. The Secureworks® Counter Threat Unit™ (CTU) research team is publicly sharing insights about BRONZE VINEWOOD and its use of the HanaLoader malware and DropboxAES RAT, to increase visibility of the threat group’s activities.

In mid-2018, Secureworks® Counter Threat Unit™ (CTU) researchers identified targeted intrusion activity linked to BRONZE VINEWOOD (also known as APT31). BRONZE VINEWOODis a cyberespionage group of likely Chinese origin that targeted the U.S. legal sector in 2017 and government and defense supply chain networks in 2018. In 2018, BRONZE VINEWOOD demonstrated a range of capabilities to infect targeted systems, steal credentials, and move laterally in a compromised environment. The group used DLL search-order hijacking to run a malicious downloader tool that CTU™ researchers call HanaLoader.

In 2018 activity observed by CTU researchers, BRONZE VINEWOOD used signed legitimate executable files from multiple software producers (e.g., Oracle (unpack200.exe) and Norton (CcSEUPDT.exe)) to load malicious code. In one example, the threat actors used a legitimate Kaspersky executable (wmi32.exe, see Figure 1) to load a DLL file (MSVCR100.dll).

Figure 1. Legitimate wmi32.exe executable used to load MSVCR100.dll. (Source: Secureworks)

The exported functions from MSVCR100.dll pointed to the same address: the location of the functions used to decrypt and load the HanaLoader payload (see Figure 2).


Figure 2. Exports from MSVCR100.dll. (Source: Secureworks)

The HanaLoader payload was stored alongside the executable and malicious DLL in an encrypted zlib-compressed file called HefNcnDGGWgriiI (see Figure 3).


Figure 3. Three files used to run the HanaLoader payload. (Source: Secureworks)

Several strings in the HanaLoader payload suggest that the malware authors refer to the tool as HanaLoader (see Figure 4).

Figure 4. Strings identified in HanaLoader payload. (Source: Secureworks)

CTU researchers analyzed a 2017 version of HanaLoader, which was the likely payload in a BRONZE VINEWOOD campaign targeting U.S. legal organizations. Details included in the application manifest suggest that the authors may also refer to the tool as HanaGift (see Figure 5).

Figure 5. Application manifest for 2017 version of HanaLoader. (Source: Secureworks)

HanaLoader downloads and launches an additional payload from a remote resource over HTTPS. In the 2018 HanaLoader sample, the initial GET request contained the properties shown in Figure 6. The User-Agent string in this sample is historically associated with the HttpBrowser tool.

Figure 6. HanaLoader GET request. (Source: Secureworks)

The second-stage payload overwrites HanaLoader using process hollowing and continues to run in memory. BRONZE VINEWOOD has a suite of second-stage payloads that can be delivered through this technique, including a remote access trojan (RAT) that third-party researchers dubbed HanaRAT, Trochilus, and DropboxAES RAT.

After a second-stage RAT is deployed to a targeted system, the threat actors appear to use publicly available tools such as the Mimikatz credential-theft tool to escalate their privileges (see Figure 7).


Figure 7. Mimikatz arguments launched via legitimate signed Oracle executable. (Source: Secureworks)

BRONZE VINEWOOD leveraged native functionality such as net commands and scheduled tasks to move laterally within a compromised network (see Figure 8).

Figure 8. Net commands used by BRONZE VINEWOOD after deploying the RAT. (Source: Secureworks)

In examples observed by CTU researchers, BRONZE VINEWOOD demonstrated targeting intent toward individuals and systems involved in software development, suggesting a motive to steal from or interfere with software development processes and individuals who manage relationships with government organizations. CTU research suggests that organizations operating in government or defense supply chains are exposed to greater threat from targeted threat groups like BRONZE VINEWOOD. These organizations should consider the threat from these types of targeted attacks as part of their risk-management strategies and ensure that additional controls are applied to sensitive or high-risk datasets. Organizations should also implement monitoring strategies that detect known-good software executing from suspicious locations and detect behaviors associated with suspicious native tool use and privilege escalation activities (e.g., Mimikatz dumping LSASS process memory to extract credentials).

The threat indicators in Table 1 are associated with this activity. The domains may contain malicious content, so consider the risks before opening them in a browser.

Indicator Type Context
wshnews.com Domain name Hard-coded in HanaLoader sample
462be075b591547fefb54d2f95930ef674b4bfa
4c2cafbf6b90e6741274cfe85
SHA256 hash Malicious DLL that launches HanaLoader
bc365affaf8b7e757f2117087234b0f8552b9fb5 SHA1 hash Malicious DLL that launches HanaLoader
1b2750795b31382307d91ede230a3579 MD5 hash Malicious DLL that launches HanaLoader
c1f02f8bc3c391e576c9cda626a9eb81c4b2fe063c
c80de592d9ce999478eeaa
SHA256 hash BRONZE VINEWOOD encrypted loader DLL
HefNcnDGGWgriiI filename Encrypted zlib-compressed file containing HanaLoader
71d30d6cf37d5d0fcb2e9a9061fde20f6
2683a6be91e52abc5f665e5ec021cf3
SHA256 hash Encrypted zlib-compressed file containing HanaLoader
74a5bfd32ca135424e6ef37c1fbb18f395e26b2c SHA1 hash Encrypted zlib-compressed file containing HanaLoader
7d05910c4a7091a8d5696306618980b7 MD5 hash Encrypted zlib-compressed file containing HanaLoader

Table 1. Indicators for this threat.

Products You May Like

Leave a Reply

Your email address will not be published. Required fields are marked *