China-based threat actor known as Emperor Dragonfly, traditionally associated with state-sponsored espionage, has been observed leveraging its sophisticated toolset in a recent ransomware attack.
In late 2024, security researchers at Symantec's Threat Hunter Team uncovered an attack targeting an Asian software and services company.
"During the attack in late 2024, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks," Symantec researchers stated.
This observation suggests a worrying overlap where resources and techniques from state-backed espionage groups are potentially being repurposed for cybercriminal activities. While resource sharing among China-based espionage groups isn't uncommon, the utilization of these sophisticated, often non-public tools in ransomware attacks is a notable and concerning development.
Further context comes from a July 2024 report by Palo Alto Networks' Unit 42, which tentatively connected Emperor Dragonfly (also known as Bronze Starlight) to the RA World ransomware operation.
From Long-Term Persistence to Rapid Encryption
Historically, Emperor Dragonfly has been associated with long-term espionage campaigns.
- PlugX (Korplug) Backdoor: A specific variant of this well-known backdoor was deployed.
- DLL Sideloading: The backdoor was executed using a legitimate Toshiba executable (
toshdpdb.exe
) and a malicious DLL (toshdpapi.dll
). - NPS Proxy: A China-developed tool facilitating covert network communication was utilized.
- RC4-Encrypted Payloads: Various payloads were encrypted using the RC4 algorithm.
However, in November 2024, the same Korplug payload was observed in an attack against a South Asian software company, but this time, it culminated in an RA World ransomware deployment.
0 comments:
Post a Comment