A Peek into BRONZE UNION’s Toolbox

Summary

Secureworks® Counter Threat Unit™ (CTU) researchers have tracked the activities of the BRONZE UNION threat group (also known as Emissary Panda, APT 27, and LuckyMouse) since 2013. CTU™ analysis suggests that BRONZE UNION is located in the People's Republic of China. The threat group has historically leveraged a variety of publicly available and self-developed tools to gain access to targeted networks in pursuit of its political and military intelligence-collection objectives.

Breathing new life into old tools

In 2018, CTU researchers identified evidence of BRONZE UNION leveraging tools that have been publicly available for years. However, the variants used in 2018 included updated code.

ZxShell games

In mid-2018, CTU researchers observed BRONZE UNION deploying an updated version of the ZxShell remote access trojan (RAT). ZxShell was developed in 2006 by the persona "LZX", who then publicly released the source code in 2007. Although various threat actors have created different variations of the RAT, the version used by BRONZE UNION in 2018 contained some previously unobserved properties that suggest the threat group's capabilities continue to evolve:

• The malware embedded the well-known HTran packet redirection tool.
• The malware was signed with digital certificates that were signed by Hangzhou Shunwang Technology Co., Ltd (Serial: 29 f7 33 6f 60 92 3a f0 3e 31 f2 a5) and Shanghai Hintsoft Co., Ltd. (Serial: 09 89 c9 78 04 c9 3e c0 00 4e 28 43). These certificates are not exclusively used by BRONZE UNION but may indicate BRONZE UNION activity.

Figure 1 shows a session captured by Red Cloak™ where a BRONZE UNION threat actor launched a remote shell using ZxShell.

Figure 1. BRONZE UNION threat actor session. (Source: Secureworks)

"You look like you've seen a Gh0st RAT"

Like ZxShell, publicly available Gh0st RAT source code led to the emergence of several different variants. In a 2018 campaign, BRONZE UNION likely deployed modified Gh0st RAT malware to multiple systems within a compromised environment that were important to the threat actors' objective. When executed with administrator privileges, the Gh0st RAT binary file was written to %System%\FastUserSwitchingCompatibilitysex.dll. The installer then created a Windows service and associated service dynamic link library (DLL) chosen from the names listed in Table 1.

Table 1. Service names and DLLs used by Gh0st RAT.

This Gh0st RAT sample communicated with IP address 43 . 242 . 35 . 16 on TCP port 443, although the traffic is a custom binary protocol and not HTTPS. The malware author also modified the standard Gh0st RAT headers to obfuscate the network traffic (see Figure 2).

Figure 2. Gh0st RAT network traffic. (Source: Secureworks)

Bytes 0-4, which are typically known as the Gh0st RAT "identifier," are randomized in this case. Bytes 5-8 indicate the packet size, and bytes 9-12 indicate the zlib-decompressed packet size. In a departure from previous Gh0st RAT versions, the five bytes at the end of this packet are an XOR key, which must be applied to the packet data before the zlib decompression can be performed. The XOR key is different for each execution of the malware. Once the packet is decoded and decompressed, the data shown in Figure 3 is visible.

Figure 3. Decoded Gh0st RAT check-in packet. (Source: Secureworks)

The first byte of Figure 3 shows the value 0x66, which is the Gh0st RAT code for "login". After sending the initial phone-home request, Gh0st RAT exchanges 22-byte 'command' packets with its command and control (C2) server. Once again, the first five bytes are randomized and the zlib-compressed part of the packet is XOR-encoded, but the same identifiable structure remains. In the example command packet shown in Figure 4, the first five bytes are the randomized header and the next eight bytes show the compressed and uncompressed size of the data. The XOR key for this packet is 0x7c.

Figure 4. Gh0st RAT command packet. (Source: Secureworks)

Creating custom solutions

In addition to publicly available tools, BRONZE UNION has also used proprietary remote access tools such as SysUpdate and HyperBro since 2016. Despite self-developed tools generally benefitting from lower detection rates than publicly available tools, the threat actors appear to use their own tools more sparingly after securing consistent network access.

SysUpdate is a multi-stage malware used exclusively by BRONZE UNION. It has been delivered by multiple methods. In one instance observed by CTU researchers, it was downloaded by a malicious Word document using the Dynamic Data Exchange (DDE) embedded command method. In another incident, the threat actor manually deployed SysUpdate via previously stolen credentials after gaining access to the environment. In a third case, it was delivered via a redirect from a strategic web compromise (SWC). Regardless of the delivery method, the payload is a WinRAR self-extracting (SFX) file that installs the SysUpdate stage 1 payload.

The stage 1 payload is responsible for the following tasks:

• installing the stage 1 malware through DLL search-order hijacking
• setting up persistence by configuring either a registry Run key (see Figure 5) or an "Own Process" Windows service depending on privileges available at the time of installation
• contacting a C2 server to retrieve and install a second malware payload

Figure 5. SysUpdate user-level Run key. (Source: Secureworks)

SysUpdate stage 1 has no capability beyond downloading the second payload file, SysUpdate Main (see Figure 6).

Figure 6. SysUpdate stage 1 installation process. (Source: Secureworks)

SysUpdate Main employs HTTP communications and uses the hard-coded User-Agent "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36". It downloads a file named m.bin using the HTTP GET method and injects this file into a new svchost.exe process without saving the file to disk. After performing this download, SysUpdate Main reverts to its binary protocol for any additional commands from the C2 server, beaconing every three minutes. The SysUpdate Main file analyzed by CTU researchers included remote access capabilities such as managing files and processes, launching a command shell, interacting with services, taking screenshots, and uploading and downloading additional malware payloads.

SysUpdate is flexible malware, as capabilities can be easily introduced and withdrawn by supplying a new payload file. The operator could remove second-stage capabilities at any time and revert to the first stage by supplying a replacement payload file. By withdrawing second-stage payloads when not in use, operators can limit exposure of their full capabilities if the malicious activity is detected.

Conclusion

BRONZE UNION was one of the most prolific and active targeted threat groups tracked by CTU researchers in 2017 and 2018. The threat actors have access to a wide range of tools, so they can operate flexibly and select tools appropriate for intrusion challenges. During complex intrusion scenarios, the threat actors leverage their proprietary tools, which offer custom functionality and lower detection rates. They appear to prefer using widely available tools and web shells to maintain access to networks over longer periods. After accessing a network, the threat actors are adept at circumventing common security controls, escalating privileges, and maintaining their access to high-value systems over long periods of time.

Threat indicators

The threat indicators in Table 2 are associated with BRONZE UNION activity. Note that IP addresses can be reallocated. The IP addresses and domains may contain malicious content, so consider the risks before opening them in a browser.

Table 2. Indicators for this threat.