China-linked hacking group APT31 has been using new malware in recent attacks targeting Mongolia, Belarus, Canada, the United States, and — for the first time — Russia, according to enterprise cybersecurity firm Positive Technologies.
Also tracked as Judgment Panda, Zirconium, and Red Keres, APT31 is believed to be working on behalf of the Chinese government, conducting cyberespionage campaigns against targets of interest to the country.
In July 2021, the group was officially accused of targeting vulnerabilities in Microsoft Exchange servers, on behalf of China, and France warned of APT31’s continuous abuse of hacked routers in malicious attacks.
The group is believed to have launched at least 10 cyberattacks between January and July 2021, delivering a remote access Trojan (RAT) and mainly targeting entities in Mongolia, Russia, Belarus, Canada, and the United States.
According to Positive Technologies, it’s the first time this particular threat group has targeted Russia, and evidence suggests that at least some of the targets here were government organizations.
As part of the activity, the cyberspies employed a new malware dropper that leverages DLL sideloading to execute the malicious payload on the target machine (alongside the malicious library, the dropper deploys and executes on the compromised machine an application vulnerable to DLL sideloading).
The malicious library mimics the legitimate MSVCR100.dll file that Microsoft’s Visual Studio application uses, in an attempt to hide the nefarious activity.
During their investigation into the hacking group’s activities, Positive Technologies’ security researchers discovered several versions of the dropper, including one that downloads all files from the command and control server.
“It is also worth noting that in some cases, particularly during attacks on Mongolia, the dropper was signed with a valid digital signature,” the researchers say, assessing that the signature was most likely stolen.
The malicious library the dropper uses is responsible for fetching and executing the main payload.
Once deployed, the malware waits for commands from the server. Based on these, it can harvest information on drives, search for files, create a process, create a new stream, create a directory, or delete itself.
Given numerous similarities with the DropboxAES RAT that Secureworks previously attributed to APT31, Positive Technologies concluded that they were looking at a variant of the same malware, which showed only minor differences. However, no overlaps between the network infrastructures of the detected malware samples were observed.
“The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular. We believe that further instances will be revealed soon of this group being used in attacks,” Positive Technologies concludes.
Related: Chinese Hackers Cloned Equation Group Exploit Years Before Shadow Brokers Leak
Related: New Chinese Threat Group ‘GhostEmperor’ Targets Governments, Telecom Firms
Related: Finland IDs Hackers Linked to Parliament Spying Attack