Earlier this Fall, the Cybersecurity & Infrastructure Security Agency (CISA) released an Alert Bulletin detailing campaigns perpetrated by several advance persistent threat (APT) groups against a Defense organization(1) . While several of the tools highlighted in the report had ties to several Chinese sponsored cyber groups (China Chopper, CovalentStealer, Impacket), the use of the HyperBro Remote Access Trojan (RAT) pointed to the involvement of one prolific threat group in particular, APT27.
In this blog post, we will review the history of the threat group, highlight well-known attacks attributed to APT27, and use Netwitness to analyze the HyperBro RAT, one of the more widely used pieces of malware in the APT27 toolkit.
APT27 Background:
APT27 is a sophisticated cyber threat group believed to be sponsored by the Chinese government. Commonly referred to by several aliases including EMISSARY PANDA, Bronze Union, Budworm, Iron Tiger, TG-3390, and Lucky Mouse, APT27 has been targeting victims since at least 2010(2). This group has successfully executed multiple long-term, highly targeted attacks against organizations in multiple industries (defense, technology, energy, manufacturing, among others). Originally, APT27 solely focused their efforts on espionage, infiltrating networks to monitor, gather, and exfiltrate sensitive data. In recent years however, there has been an expansion in tactics towards financially motivated cybercrime, with known APT27 malware used to deliver cryptominers(3) and ransomware(4). Over the course of the APT27’s existence, the group has displayed an ability to gain access using several techniques. Whereas APT27 initially used spearphishing as their main infiltration vector, the group has expanded their capabilities to include exploitation of vulnerabilities on web facing systems(5), compromise of third party applications(6), and supply-chain attacks(7).
To conduct their tradecraft, APT27 uses a combination of proprietary malware, malware shared amongst several suspected Chinese cybercrime groups, and publicly available open-source software. The first malware to be associated with an early iteration of the group was the infamous Gh0st RAT from 2009. Since that time, other well-known malware like ZxShell, PlugX, SysUpdate, and HyperBro have been heavily linked to APT27. Additionally, modified versions of legit software such as HTTPBrowser, Impacket, and gsecdump have been used during the group’s intrusions. Due to regular maintenance and updating of their toolset, APT27 has been adept at bypassing traditional security detections. This diverse collection of tools allows APT27 to adapt their tactics as needed, essentially giving the group a “Swiss army knife” to compromise vastly different target environments.
Notable Attacks Linked to APT27:
- February 2015 - American health Insurance provider Anthem disclosed it was a victim of a data breach, in which the PII information of 78.8 million people was stolen(8). Post breach analysis revealed the initial access vector as a phishing email sent to an employee a year prior. According to the same report, the breach resulted in Anthem spending $260 million to fix security-related issues and an additional $39 million to settle lawsuits from affected victims. Although this attack was never directly attributed to a nation state, the presence of several APT27 TTPs (including C2 infrastructure and software), made the group the most likely culprit.
- March 2018 - APT27 compromised the national data center of a Central Asian country(9). While present in the victim network for at least 4 months, the threat group used official websites from the victim to run a watering hole attack. Users who interacted with malicious links hosted on these websites were redirected to APT27 controlled domains and silently downloaded ScanBox and BEeF frameworks to their systems. APT27 tool HyperBro was found on several systems inside of the targeted environment.
- March 2021 - The BfV German domestic intelligence services released a report alerting on APT27 attacks against German commercial organizations(10). In the documented attacks, APT 27 exploited vulnerabilities in Zoho AdSelf Service Plus software, a self-service password management tool, to gain initial access. Once on the network, the threat group conducted espionage activity by leveraging legitimate software vulnerable to DLL side-loading to load HyperBro RAT in memory.
- April 2022 - Campaigns against a Middle Eastern government, an electronics manufacturer, a U.S. state legislature, and a Southeast Asian hospital were all attributed to APT27(11). In these attacks, APT27 took advantage of the Log4j vulnerabilities to install web shells on web servers. Again, APT27 deployed its HyperBro RAT by dropping a copy of legitimate software (In these instances, CyberArk Viewfinity was used) on victim systems and DLL side-loading the payload in memory.
HyperBro - APT27's Premier Payload:
Across recent intrusions linked to APT27, the most witnessed piece of malware is the HyperBro RAT. HyperBro is an in-memory remote access trojan used by APT27 for backdoor access on targeted systems. HyperBro abuses DLL side-loading to compromise victim systems (Bitdefender has an excellent write-up on DLL side-loading here(12)). Once on the target host, an attacker drops two files into a directory of their choosing: a legitimate signed executable vulnerable to side-loading attack and a malicious loader DLL. Once the executable is executed, the malicious DLL is side-loaded and executed, which in turn loads the HyperBro payload. The payload is then decoded and loaded into memory. With HyperBro running on a system, attackers can execute commands both locally and remotely, log keystrokes, screen capture, and modify services, processes, files, and the registry.
Analyzing HyperBro with Netwitness:
For a better understanding of how a HyperBro attack works, we used Netwitness to analyze the artifacts mentioned in CISA’s latest HyperBro briefing. To setup our detonation environment we used a Windows 10 hosts and then placed copies of the following files in a Desktop folder named HB-Test:
- vf_host.exe – The legit software CyberArk Viewfinity
- SHA256: df847abbfac55fb23715cde02ab52cbe59f14076f9e4bd15edbe28dcecb2a348
- vftrace.dll – The malicious DLL side-loaded by Viewfinity. This contains the HyperBro payload
- SHA256: 52072a8f99dacd5c293fccd051eab95516d8b880cd2bc5a7e0f4a30d008e22a7
- thumb.dat – The config file which instructs the HyperBro payload how to operate
- SHA256: f2ba8b8aabf73020febd3a925276d52ce88f295537fe57723df714c13f5a8780
Once vf_host.exe is executed on our “victim” system, vftrace.dll is run via side-loading (MITRE: T1574.002 - Hijack Execution Flow: DLL Side-Loading). On the host, the other files are then deleted from the HB-Test folder.
HyperBro files removed from original folder HB-Test
At the same time, vf_host.exe drops copies of the previously removed files vftrace.dll and thumb.dat in a newly created hidden directory C:\ProgramData\windefenders (T1564.001 - Hide Artifacts: Hidden Files and Directories). A copy of vf_host.exe is renamed to msmpeng.exe and is also placed in the new windefenders directory along with a file config.ini which contains system identification information to be used in later command-and-control (C2) communications.
HyperBro files copied to C:\ProgramData/windefenders
In our Netwitness SIEM we can see the ‘renameToExecutable’ and ‘writeToExecutable’ events related to this activity.
vf_host.exe moves vftrace.dll to C:\ProgramData\windefenders
vf_host.exe makes copy of itself, named msmpeng.exe, to C:\ProgramData\windefenders
After decoding thumb.dat (MITRE: T1140 - Deobfuscate/Decode Files or Information), HyperBro will spawn a new svchost.exe and inject itself into the process (MITRE: T1055 – Process Injection). The next step is for HyperBro to gain persistence, which it accomplishes by adding an entry for windefenders to the Startup Run registry key (MITRE: T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder).
windefenders added to Startup Run Registry key for persistence
Looking back on our SIEM, we see the corresponding ‘createRegistryValue’ activity in our threat lab SIEM.
Netwitness captures registry edit made by HyperBro
The last activity seen in Netwitness is the attempted network connection to the C2 server 104.168.236.43 mentioned in the CISA report (MITRE: T1071.001 - Application Layer Protocol: Web Protocols).
HyperBro C2 communication attempt
Conclusion:
APT27 is a highly skilled adversary with no indication of stopping anytime soon. Because of its ability to quickly weaponize novel tools and methods of intrusion, the group seems poised to continue operations across multiple sectors and geographical regions. It will be interesting to see if the financial motivation displayed by APT27 in recent attacks will continue or if the group will revert to an espionage only model.
The following App Rules, currently on Netwitness Live, should help organizations identify suspicious HyperBro activity with Netwitness Endpoint:
- Hijacked DLL Loads HyperBro Payload
- HyperBro Registry Creation
- HyperBro Files Dropped (windefenders)
- Possible HyperBro Named Pipe
In addition, the HTTP Lua Parser has been updated with the following detections:
- HyperBro C2
- HyperBro download
References:
(1) https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
(2) https://attack.mitre.org/groups/G0027/
(3) https://thehackernews.com/2018/02/cyber-espionage-asia.html
(4) https://threatpost.com/ransomware-major-gaming-companies-apt27/162735/
(5) https://www.hvs-consulting.de/public/ThreatReport-EmissaryPanda.pdf
(6) https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf
(9) https://securelist.com/luckymouse-hits-national-data-center/86083/
(11) https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/budworm-espionage-us-state
(12) https://businessinsights.bitdefender.com/tech-explainer-what-is-dll-sideloading
