Secureworks Counter Threat Unit researchers announced that Chinese threat actors are using HUI Loader to load remote access trojans on compromised hosts. According to the announcement, two HUI Loader activity clusters are linked exclusively to Bronze Riverside and Bronze Starlight. While Bronze Riverside is responsible for one cluster that steals intellectual property from Japanese organizations, Bronze Starlight focuses on deploying LockFile, AtomSilo, Rook, Night Sky, and Pandora ransomware.
Bronze Riverside and Bronze Starlight
Secureworks announced that Bronze Starlight’s methods show that the group’s motivation may be stealing intellectual property or cyberespionage, rather than financial gain. Secureworks suggests that the group may be using ransomware as a distraction to hide their true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group.
HUI Loader is a custom DLL loader. Its name derives from a string in the loader. It is loaded by legitimate programs that allow DLL search order hijacking. It decrypts and loads a file that contains an encrypted payload that compromises the host. The researchers stated that HUI Loader can load RATs such as SodaMaster, PlugX, Cobalt Strike, and QuasarRAT.
Secureworks analysis showed that four HUI Loader samples that decrypt and load PlugX RAT payloads, which is used by various Chinese threat groups. One PlugX sample communicates with a sibling domain of a BRONZE STARLIGHT Cobalt Strike C2 domain. The domain masquerades as the legitimate website for an India-based company. Secureworks said,
« BRONZE STARLIGHT compromises networks by exploiting vulnerabilities in network perimeter devices, including known vulnerabilities for which patches are available. The threat actors deploy HUI Loader to decrypt and execute a Cobalt Strike Beacon for command and control. They then deploy ransomware and exfiltrate sensitive data from the victim’s environment.
Both the exploitation of known vulnerabilities and the use of the Cobalt Strike for command and control provide opportunities to detect and prevent BRONZE STARLIGHT intrusion activity before exfiltration or ransomware deployment. Network defenders should implement a robust patch management process to address network perimeter vulnerabilities in a timely manner. However, breaches can occur even with preventative measures in place. Reactive measures such as a robust and tested incident response plan, real-time network monitoring and alerting, and an extended detection and response (XDR) solution are crucial for minimizing the impact of ransomware and other malicious activity. »