APT27

APT27 (Advanced Persistent Threat) is the name of a hacking group that originates from China and tends to go after high-profile targets. The APT27 also is known under various other aliases, including Emissary Panda, LuckyMouse and BronzeUnion. Among the most well-known campaigns carried out by the APT27 is their attacks targeting United States' defense contractors. Other popular operations by the APT27 include a campaign against a number of companies operating in the financial sector, as well as an attack launched against a data center located in Central Asia. The hacking tools in the weaponry of the APT27 include threats that would allow them to carry out reconnaissance operations, collect sensitive files from the infected host or take over the compromised system.

Cybersecurity researchers first spotted the activity of the APT27 in 2010 and have been keeping a close eye on it ever since. Since they were first spotted, the APT27 has managed to compromise targets that operate in a variety of key industries:

• Government.
• Defense.
• Technology.
• Energy.
• Manufacturing.
• Aerospace.

Among the most utilized tools in the hacking arsenal of the APT27 are the Gh0st RAT, ZXShell and HyperBro. However, the cyber crooks from the APT27 do not rely only on custom-built hacking tools. The APT27, like many other APTs, also utilize legitimate services for their nefarious operations, as well as publicly available hacking tools.

APT27 has attacked a range of targets for a variety of reasons, from stealing data on cutting-edge technologies to spying on civilian groups and dissidents for the government.

Emissary Panda use readily available tools such as credentials, tools, and services native to the target, and custom malware developed for attacks. The group focuses on maintaining a presence on the compromised systems for an extended period of time.

The group was observed to return to compromised networks roughly every three months to verify that they still had access, refresh access if it had been lost, and find more data of interest to the attack.

APT27 Demonstrates What is Old is New Again

Last year, the group was seen deploying updated versions of the remote access Trojan (RAT) ZxShell. ZxShell was first developed in 2006, with the source code for the program released the following year in 2007. The malware has the HTran packet redirection built-in and was signed with a digital certificate belonging to Hangzhou Shunwang Technology Co., as well as a digital certificate for Shanghai Hintsoft Co., Ltd.

APT27 was also likely behind a modified version of the Gh0st RAT deployed in 2018. The source code for the original Gh0st RAT is also available online. The updated version was used against several systems in a compromised network. The sample spotted by researchers communicates on TCP port 443 through a custom binary protocol, with modified headers to better hide network traffic communications.

Not content with using tools found online, APT27 has also developed and employed its own range of proprietary remote access tools. These tools, such as HyperBro and SysUpdate, have been making the rounds since 2016.

SysUpdate is a kind of multi-stage malware and is only used by Emissary Panda. The malware is delivered through several methods, such as malicious Word documents using Dynamic Data Exchange (DDE), manual deployment through stolen credentials, and web redirects, and strategic web compromise (SWC).

APT27 Malware Deployment and Spread

No matter the deployment, the first payload is installed through a self-extracting (SFX) WinRAR file that installs the first stage payload for SysUpdate. The first stage achieves persistence on the machine before installing the second-stage payload, known as SysUpdate Main. The malware communicates over HTTP and downloads code to inject into svchost.exe.

SysUpdate Main delivers attackers a range of remote access capabilities. The RAT allows hackers to access and manage files and processes on the machine, interact with different services, launch a command shell, take screenshots, and upload and download other malware as needed.

SysUpdate is a remarkably flexible malware that can be expanded or diminished as needed through other payload files. The ability to effectively control the presence of the virus allows the hackers to hide their full capabilities, according to security researchers.

The threat actors can leverage their proprietary tools during a sophisticated intrusion. These tools give them more control at a reduced risk of detection. The threat actors appear to gain access to networks using widely available tools. Once they are on the system, they can circumvent security controls, gain access to a more significant set of privileges and permissions, and maintain access to high-value systems in the long-term. The longer APT27 spends on a target network, the more potential damage it can do. In a worst-case scenario, the group could have a presence on a system for years, collecting plenty of sensitive information and causing all kinds of damage.

One of the more popular custom-created hacking tools that was developed by the APT27 is the SysUpdate threat. This is a RAT (Remote Access Trojan) that the APT27 appears to propagate via fake spam emails and supply-chain attacks. Malware experts believe that the cyber crooks also may install the SysUpdate RAT on targeted hosts manually, provided that they had infiltrated them previously. This specific RAT has a modular structure. This means that the APT27 can plant a basic copy of the threat on the compromised computer, and then add more features to it, weaponizing the RAT further.

The APT27 appears to be a very flexible hacking group – both in regards to the propagation methods they utilize and the wide variety of tools they deploy. This makes the APT27 a rather threatening group of cyber crooks, who should not be underestimated.