14 DAY TRIAL // Security researchers at FireEye found that a suspected Chinese threat actor is involved in a series of 10 attacks that targeted the United States, Canada, Belarus, Mongolia, and Russia from the beginning of the year until last month, according to The Hacker News. The attacks involved the use of a remote access Trojan on targeted systems.
APT31, also known as Bronze Vinewood, Judgement Panda, and Zirconium, is the organization associated with the intrusions. The group is believed to be a Chinese state-sponsored cyber espionage actor seeking to gather intelligence to support the Chinese government and state-owned enterprises, researchers said.
A new malware dropper has been used in the attacks that contains a downloader for next-stage encrypted payloads from a remote command-and-control server and can be used to decode and execute the malware. The malware is also capable of exfiltrating sensitive data, perform file operations, and even remove itself from the infected system.
Because the malware is so sophisticated, it can quickly wipe registry keys and remove its traces
During their examination of the self-delete command, Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov found the code fascinating because it used a bat file to erase all the registry keys and files that were created as a result of running the command.
The malware closely resembles a Trojan called DropboxAES RAT, that was deployed last year by the same cybercriminal group and used Dropbox for its command-and-control (C2) communications. There are a lot of similarities in terms of the techniques and mechanisms used to infiltrate the attack code, achieve persistence, and delete the spy tool.
It is possible to infer an expansion of the group's interests based on these connections between freshly discovered harmful samples and earlier samples, such as those discovered in 2020. The group's interests now extend to countries where its expanding activity may be detected.