Secureworks reveals that China-based Bronze President hackers target Russian military personnel

Researchers from Secureworks Counter Threat Unit (CTU) revealed that the China-based Bronze President threat group had targeted Russian speakers with updated PlugX. The shift in targeting could reflect a change in China’s intelligence collection requirements due to the war in Ukraine.

“In March 2022, CTU researchers analyzed a malicious executable file masquerading as a Russian-language document. The filename is Благовещенск – Благовещенский пограничный отряд.exe (“Blagoveshchensk – Blagoveshchensk Border Detachment.exe”), but the default settings on Windows system do not display the .exe file extension,” Secureworks said in a blog post on Wednesday. “The file uses a portable document file (PDF) icon for credibility. Blagoveshchensk is a Russian city close to the China border and is home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region,” it added.

The researchers revealed that Bronze President malware appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine. As a result, the threat group has primarily focused on Southeast Asia, gathering political and economic intelligence valuable to the People’s Republic of China (PRC). “Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the PRC,” they added.

Secureworks said that Bronze President has been active since at least July 2018, and probably much longer. CTU researchers assess with high confidence that Bronze President is based in China and with moderate confidence that it is sponsored or at the very least tolerated by the Chinese government. The group has used proprietary and publicly available tools to compromise and collect data from non-governmental organizations (NGOs), creating multiple contingent access routes to maintain long-term access to compromised systems. 

The Bronze President uses a range of tools, including Cobalt Strike, China Chopper, PlugX, and two tools that are believed to be tied to Bronze President, dubbed RCSession and ORat. Also tracked as HoneyMyte, Mustang Panda, Red Lich, and Temp.Hex, the Bronze President malware appears as ‘heavily obfuscated executable file downloads additional files from a staging server at 107.178.71. 211,’ CTU researchers said. 

Secureworks said that government-sponsored threat actors collect intelligence to benefit their country, and changes to the political landscape can impact the collection requirements. “The war in Ukraine has prompted many countries to deploy their cyber capabilities to gain insight about global events, political machinations, and motivations. This desire for situational awareness often extends to collecting intelligence from allies and ‘friends,’ which could explain why Secureworks Counter Threat Unit (CTU) researchers detected what appears to be an attempt by China to deploy advanced malware to computer systems of Russian officials,” it added.

The executable file displays the decoy document to the victim, and the document is written in English and appears to be legitimate, although CTU researchers were unable to locate the source, Secureworks said. “It describes the migratory pressure and asylum applications in countries that border Belarus (Lithuania, Latvia, and Poland) and discusses European Union (EU) sanctions against Belarus at the beginning of March 2022. CTU researchers are unclear why a file with a Russian filename downloads an English-language document,” the post added. 

“The other three files downloaded from the staging server are typical of the China-based Bronze President threat group’s use of DLL search order hijacking to execute PlugX malware payloads,” the researchers said. In addition, the inclusion of the ping command with the ‘-n 70’ option adds a significant delay before executing the legitimate signed file. They said that the IP address used for the ping command is Google’s public DNS service.

The researchers also identified that the legitimate signed file originates from UK-based Global Graphics Software Ltd. “Because it is vulnerable to DLL search order hijack, it imports the malicious DocConvDll.dll DLL loader. This DLL exports eight functions, several of which use seemingly random names and contain no useful instructions. The only export called by the parent executable is createSystemFontsUsingEDL,” they added.

CTU researchers recommend that organizations use available controls to review and restrict access using the indicators since IP addresses can be reallocated to mitigate exposure to the Bronze President malware. Additionally, the domains, IP addresses, and URLs may contain malicious content, so consider the risks before opening them in a browser.

Last week, global security agencies issued a joint Cybersecurity Advisory (CSA) warning organizations that the Russian invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber hackers or Russian-aligned cybercrime groups. 

The advisory provides technical details on malicious cyber operations by hackers from the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM).

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.