In mid-2018, Secureworks® Counter Threat Unit™ (CTU) researchers identified targeted intrusion activity linked to BRONZE VINEWOOD (also known as APT31). BRONZE VINEWOODis a cyberespionage group of likely Chinese origin that targeted the U.S. legal sector in 2017 and government and defense supply chain networks in 2018. In 2018, BRONZE VINEWOOD demonstrated a range of capabilities to infect targeted systems, steal credentials, and move laterally in a compromised environment. The group used DLL search-order hijacking to run a malicious downloader tool that CTU™ researchers call HanaLoader.
In 2018 activity observed by CTU researchers, BRONZE VINEWOOD used signed legitimate executable files from multiple software producers (e.g., Oracle (unpack200.exe) and Norton (CcSEUPDT.exe)) to load malicious code. In one example, the threat actors used a legitimate Kaspersky executable (wmi32.exe, see Figure 1) to load a DLL file (MSVCR100.dll).
Figure 1. Legitimate wmi32.exe executable used to load MSVCR100.dll. (Source: Secureworks)
The exported functions from MSVCR100.dll pointed to the same address: the location of the functions used to decrypt and load the HanaLoader payload (see Figure 2).
Figure 2. Exports from MSVCR100.dll. (Source: Secureworks)
The HanaLoader payload was stored alongside the executable and malicious DLL in an encrypted zlib-compressed file called HefNcnDGGWgriiI (see Figure 3).
Figure 3. Three files used to run the HanaLoader payload. (Source: Secureworks)
Several strings in the HanaLoader payload suggest that the malware authors refer to the tool as HanaLoader (see Figure 4).
Figure 4. Strings identified in HanaLoader payload. (Source: Secureworks)
CTU researchers analyzed a 2017 version of HanaLoader, which was the likely payload in a BRONZE VINEWOOD campaign targeting U.S. legal organizations. Details included in the application manifest suggest that the authors may also refer to the tool as HanaGift (see Figure 5).
Figure 5. Application manifest for 2017 version of HanaLoader. (Source: Secureworks)
HanaLoader downloads and launches an additional payload from a remote resource over HTTPS. In the 2018 HanaLoader sample, the initial GET request contained the properties shown in Figure 6. The User-Agent string in this sample is historically associated with the HttpBrowser tool.
Figure 6. HanaLoader GET request. (Source: Secureworks)
The second-stage payload overwrites HanaLoader using process hollowing and continues to run in memory. BRONZE VINEWOOD has a suite of second-stage payloads that can be delivered through this technique, including a remote access trojan (RAT) that third-party researchers dubbed HanaRAT, Trochilus, and DropboxAES RAT.
After a second-stage RAT is deployed to a targeted system, the threat actors appear to use publicly available tools such as the Mimikatz credential-theft tool to escalate their privileges (see Figure 7).
Figure 7. Mimikatz arguments launched via legitimate signed Oracle executable. (Source: Secureworks)
BRONZE VINEWOOD leveraged native functionality such as net commands and scheduled tasks to move laterally within a compromised network (see Figure 8).
Figure 8. Net commands used by BRONZE VINEWOOD after deploying the RAT. (Source: Secureworks)
In examples observed by CTU researchers, BRONZE VINEWOOD demonstrated targeting intent toward individuals and systems involved in software development, suggesting a motive to steal from or interfere with software development processes and individuals who manage relationships with government organizations. CTU research suggests that organizations operating in government or defense supply chains are exposed to greater threat from targeted threat groups like BRONZE VINEWOOD. These organizations should consider the threat from these types of targeted attacks as part of their risk-management strategies and ensure that additional controls are applied to sensitive or high-risk datasets. Organizations should also implement monitoring strategies that detect known-good software executing from suspicious locations and detect behaviors associated with suspicious native tool use and privilege escalation activities (e.g., Mimikatz dumping LSASS process memory to extract credentials).
The threat indicators in Table 1 are associated with this activity. The domains may contain malicious content, so consider the risks before opening them in a browser.
|wshnews.com||Domain name||Hard-coded in HanaLoader sample|
|SHA256 hash||Malicious DLL that launches HanaLoader|
|bc365affaf8b7e757f2117087234b0f8552b9fb5||SHA1 hash||Malicious DLL that launches HanaLoader|
|1b2750795b31382307d91ede230a3579||MD5 hash||Malicious DLL that launches HanaLoader|
|SHA256 hash||BRONZE VINEWOOD encrypted loader DLL|
|HefNcnDGGWgriiI||filename||Encrypted zlib-compressed file containing HanaLoader|
|SHA256 hash||Encrypted zlib-compressed file containing HanaLoader|
|74a5bfd32ca135424e6ef37c1fbb18f395e26b2c||SHA1 hash||Encrypted zlib-compressed file containing HanaLoader|
|7d05910c4a7091a8d5696306618980b7||MD5 hash||Encrypted zlib-compressed file containing HanaLoader|
Table 1. Indicators for this threat.