BRONZE VINEWOOD

BRONZE VINEWOOD are a targeted threat group that has been observed targeting organizations involved in legal, consulting and software development. CTU research also suggests that organizations operating in government or defense supply chains, or providing services to those organizations, are exposed to greater threat from targeted threat groups like BRONZE VINEWOOD.

The group has been observed to use a range of tools for initial access, persistence and lateral movement, including but not limited to: SQL injection, Trochilus RAT, HanaRat, and other malware. Stolen data has been compressed as rar files and staged in temp directories on compromised servers prior to exfiltration. In targeted intrusions that Secureworks has investigated, the group has been careful to compartmentalize command and control infrastructure in order to make it harder to link BRONZE VINEWOOD activity across multiple clients. The group has used public sites such as Github and Dropbox for command and control

Organizations should consider the threat from these types of targeted attacks as part of their risk-management strategies and ensure that additional controls are applied to sensitive or high-risk datasets. Organizations should also implement monitoring strategies that detect known-good software executing from suspicious locations and detect behaviors associated with DLL search order hijacking, suspicious native tool use and privilege escalation activities (e.g., Mimikatz dumping LSASS).