SentinelLabs finds Russian organizations increasingly under attack by Chinese APTs using Bisonal RAT

SentinelLabs has identified a new cluster of threat activity targeting Russian organizations increasingly under attack by Chinese APTs. The attacks use phishing emails to deliver Office documents to exploit targets to deliver their RAT of choice, most commonly ‘Bisonal.’ 

The firm also assesses ‘with high confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber espionage group, as also recently noted by Ukraine CERT (CERT-UA).’ 

Last month, SentinelOne pointed to the CERT-UA public release Alert #4860, which contains a collection of documents built with the Royal Road malicious document builder, themed around Russian government interests. “SentinelLabs has conducted further analysis of CERT-UA’s findings and has identified supplemental Chinese threat activity,” it added.

“China’s recent intelligence objectives against Russia can be observed in multiple campaigns following the invasion of Ukraine, such as Scarab, Mustang Panda, Space Pirates, and now the findings here,” Tom Hegel, senior threat researcher at SentinelOne, wrote in a blog post on Thursday. ​”​Our analysis indicates this is a separate Chinese campaign, but specific actor attribution is unclear at this time. While the overlap of publicly reported actor names inevitably muddies the picture, it remains clear that the Chinese intelligence apparatus is targeting a wide range of Russian-linked organizations,” he added. 

“Our findings currently offer only an incomplete picture of this threat cluster’s phishing activity, but they serve to provide perspective into an attacker’s ongoing operational objectives and a framework for our ongoing research,” Hegel added.

The SentinelOne report said that Ukraine’s CERT-UA reported several RTF documents containing malicious code exploiting one or more vulnerabilities in MS Office. “CERT-UA assessed that the documents ‘Vnimaniyu.doc,’ ‘17.06.2022_Protokol_MRG_Podgruppa_IB.doc,’ and ‘remarks table 20.06.2022_obraza,’ were likely built with the Royal Road builder and dropped the Bisonal backdoor. Royal Road is a malicious document builder used widely by Chinese APT groups, while Bisonal is a backdoor RAT unique to Chinese threat actors,” it added.

Cisco Talos said in research last year that the Bisonal used multiple lure documents to entice their victims to open and then be infected with Bisonal malware. “This group has continued its operations for over a decade and they continue to evolve their malware to avoid detection. Bisonal primarily used spear phishing to obtain a foothold within their victims’ networks. Their campaigns had very specific targets which would suggest their end game was more around operational intelligence gathering and espionage,” it added.

The CERT-UA advisory followed public reporting from nao_sec and Malwarebytes, who identified some of the first indicators and shared related samples and C2 servers. Building off this initial intelligence, SentinelLabs discovered a further related cluster of activity. 

“As we have observed over the years, Royal Road documents follow content themes relevant to their targets. Following that practice, it’s reasonable to assume that the targets in this recent cluster of activity are likely Russian government organizations,” Hegel wrote in the post.

SentinelOne assessed that the collection of files and infrastructure noted above could be considered related to the Tonto Team APT group (aka ‘CactusPete’, ‘Earth Akhlut’), a Chinese threat group that has been reported on for nearly ten years. “However, we assess that link with only medium confidence due to the potential for shared attacker resources that could muddy attribution based on the currently available data. Known targets span the globe, with a particular interest in Northeast Asia, including governments, critical infrastructure, and other private businesses,” it added.

The attacker continues their long history of Russian targeting; however, the rate of Russian and Russia-relevant targets in recent weeks may indicate increased prioritization. “There are multiple connections of this activity to Chinese threat actors. As noted above, the documents are built with a commonly known malicious document builder used widely by Chinese APT groups, the shared toolkit often referred to as the ‘Royal Road’ or the ‘8.t’ builder,” it added.

These documents often contain metadata indicating the document creator’s operating system was using simplified Chinese, a trait we observed in our previous analysis of Scarab APT activity, according to SentinelOne.

The malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted by CERT-UA, is unique to Chinese groups, including Tonto Team, Hegel wrote. “Bisonal has a uniquely long history of use and continued development by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection techniques, and maintaining generally unrestricted system control. Additionally, the collection of C2 infrastructure associated with these various samples fall under a larger umbrella of known Chinese APT activity,” he added.

SentinelLabs has also identified associated activity targeting telecommunication organizations in Pakistan leveraging similar attack techniques. The firm identified that one file uploaded to VirusTotal from Pakistan is a May 2022 email message file to the Pakistan Telecommunication Authority, sent from a potentially compromised account in the Cabinet Division of the Pakistani government. This email contains the Royal Road attachment ‘Please help to Check.doc,’ dropping and beaconing outbound to instructor.giize[.]com (198.13.56[.]122).

In conclusion, SentinelOne assesses with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. “Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations. Overall, the objectives of these attacks appear espionage-related, but the broader context remains unavailable from our standpoint of external visibility,” it added.

Last month, SentinelOne researchers revealed the presence of Aoqin Dragon, a threat hacker that SentinelLabs has been extensively tracking, and operating since 2013. The targeting of Aoqin Dragon closely aligns with the Chinese government’s political interests, attacking the government, education, and telecommunication organizations in Southeast Asia and Australia.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.