Chinese Cyber-Spies Use Espionage Tools for Ransomware Side Hustle – Source: securityboulevard.com

A ransomware attack last fall on an unnamed software and services company in Asia at the time seemed like a one-off extortion incident, with the bad actors stealing data, encrypting systems, and demanding a $2 million ransom.

However, Symantec researchers have linked the ransomware attack back to a spate of cyberespionage incidents by China-based groups against a foreign ministry in Europe and other targets, noting that a toolset was used in both the spying campaigns and the ransomware case.

The researchers suggested that the ransomware attackers were “moonlighting,” using the Chinese espionage toolset to grab some money for themselves.

“While tools associated with China-based espionage groups are often shared resources, many aren’t publicly available and aren’t usually associated with cybercrime activity,” the researcher with Symantec’s Threat Hunting Team wrote in a report. “The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit.”

The case dovetails with recent reports by threat analysts with Google’s Threat Analysis Group and its Mandiant subsidiary as well as others, like Trellix, that indicate the line between nation-state threat groups and financially motivated cybercriminals is disappearing. Adversarial countries like China, Russia, Iran, and North Korea are employing cybercriminals and their tools in espionage attacks against the United States and its allies.

The Ransomware Attack

According to Symantec, the hackers involved in the extortion campaign against the Asian company claimed they compromised a known security flaw – tracked as CVE-2024-0012 – in Palo Alto Networks’ PAN-OS firewall, grabbed administrative credentials from the company’s intranet, and stole Amazon S3 cloud credentials from its Veeam server. They used the access to steal data from the S3 buckets before encrypting the computers using the RA World ransomware.

They demanded a $2 million ransom, but said it would be reduced to $1 million if paid within three days.

According to Symantec, the bad actors used a Toshiba executable to sideload a malicious DLL that works as a loader that, when executed, searches for a highly obfuscated file and decrypts it. The decrypted payload is the same PlugX variant that threat intelligence group saw in the espionage case involving the European foreign ministry and other espionage attacks.

The PlugX variant is a “custom backdoor that is not publicly available malware and is only associated with China-linked espionage actors. To date, it has never been used by actors based in other countries. Features of this variant included encrypted strings, dynamic API resolution, and control flow flattening.”

The Links

The compilation timestamps for the PlugX variant were the same as those in the Thor PlugX variant outlined by Palo Alto’s Unit 42 threat intelligence group several years ago that was linked to the China-based espionage group Mustang Panda, which also is known as Fireant and Earth Preta. There also are similarities to another variant, PlugX type 2, which was documented by Trend Micro and also was linked to Fireant.

The similarities included the configuration being encrypted using the same RC4 key and similar configuration structures, Symantec wrote.

There were other cyberespionage attacks that included the same PlugX variant in the following months, including one on another southeastern European government and a government ministry in Southeast Asia, both of which occurred in August 2024. In September, an attacker using the variant compromised a telecom operator, and last month a government ministry in another Southeast Asian country was attacked.

What’s Happening?

The Symantec researchers went through possibilities of what was behind a ransomware attack by a China-based espionage actor. The threat actor seems to have experience in ransomware, they said, noting that Palo Alto analysts found links in some attacks using RA World ransomware to Bronze Starlight – also known as Emperor Dragonfly – a China-based hacker that deploys various ransomware.

One of the tools used was the NPS proxy tool, which was developed by a China-based developer and been used by Bronze Starlight previously. In addition, Bronze Starlight also was involved in attacks using ransomware like LockFile, AtomSilo, NightSky, and LockBit, according to SentinelOne.

However, “it is unclear why an actor who appears to be linked to espionage operations is also mounting a ransomware attack,” the Symantec researchers wrote. “While this is not unusual for North Korean threat actors to engage in financially motivated attacks to subsidize their operations, there is no similar history for China-based espionage threat actors, and there is no obvious reason why they would pursue this strategy.”

Other Possibilities

The ransomware could have been used to hide evidence of the intrusion or as a decoy to draw attention away from the espionage attacks. That said, the threat actor did little in the ransomware attack to cover up the tools they used that tie back to the cyber-spy incidents, and the Asian company was not a strategically significant organization and was something of an outlier compared to the espionage targets, they wrote.

Also, the attacker seems serious about squeezing a ransom out of the victim, corresponding with them for a while.

“This usually wouldn’t be the case if the ransomware attack was simply a diversion,” the wrote.

The most probable scenario is the moonlighting one, with a bad actor armed with a powerful toolkit launching a ransomware attack to collect some extra money.