China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons
An alarming cyberattack campaign originating from China has been discovered, specifically targeting the Southeast Asian gambling sector. The threat involves deploying Cobalt Strike beacons on compromised systems. Renowned cybersecurity firm SentinelOne revealed insights into the tactics, techniques, and procedures that indicate the involvement of a threat actor known as Bronze Starlight. This group has also been referred to as Emperor Dragonfly or Storm-0401.
Cobalt Strike Beacons: A Brief Overview
Cobalt Strike beacons are commercial, legitimate penetration testing tools. However, they can be and have been misused by threat actors to manage compromised hosts. In the hands of malicious actors, these tools can be used to control systems remotely, making them a serious threat. It's a tactic that's been observed in multiple incidents worldwide.
The Bronze Starlight Group
Bronze Starlight, a China-linked cyber espionage group, has been identified as the orchestrator of the attack. Known for its sophisticated techniques, this group has previously been linked to using short-lived ransomware families to obscure its real intent of espionage.
Techniques Employed
One of the striking features of this campaign is the abuse of Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables that are vulnerable to DLL hijacking. The strategy allows them to deploy Cobalt Strike beacons effectively. The campaign also exhibits overlaps with an intrusion set known as Operation ChattyGoblin, revealing similarities with a supply chain attack leveraging a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor.
Attribution Difficulties
Attributing these attacks to a specific group remains a challenge. There are interconnected relationships and extensive infrastructure and malware sharing among various Chinese nation-state actors. These overlaps make it difficult to pin down a particular group, highlighting the complex nature of the threat landscape.
Methodology
The attackers are known to modify installers for chat applications to download a .NET malware loader, configured to retrieve a second-stage ZIP archive from Alibaba buckets. This ZIP file consists of an executable that's vulnerable to DLL search order hijacking, a malicious DLL, and an encrypted data file named agent.data. Specifically, the use of Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables allows the decryption and execution of code embedded in the data file, implementing a Cobalt Strike beacon.
Geofencing Mechanism
One of the unique aspects of this campaign is an unsuccessful attempt to halt the execution of the loaders if run on machines located in countries like Canada, France, Germany, India, Russia, the U.K., and the U.S. This geofencing mechanism is a clear indication of the narrow focus of the attacks.
Compromised Certificates
SentinelOne revealed that one of the .NET malware loaders is signed using a certificate issued to a Singapore-based VPN provider called Ivacy VPN. This suggests the theft of the signing key at some point. DigiCert has since revoked the certificate as of June 2023.
Connections with Other Groups
The side-loaded DLL files are recognized as HUI Loader variants, commonly used by China-based groups like APT10, Bronze Starlight, and TA410. Connections and overlaps between these groups indicate a shared methodology and collaboration. Such relationships further complicate the attribution of specific attacks to individual groups.
My Conclusion
The activities of the Bronze Starlight group targeting the gambling sector with Cobalt Strike beacons illustrate the intricate nature of the Chinese threat landscape. These advanced techniques and collaborations between various threat actors pose a growing challenge to cybersecurity professionals and organizations. A multifaceted approach, including continuous monitoring, updating security protocols, and awareness of the evolving threat landscape, will be essential to counter these sophisticated attacks.
The discovery of this campaign serves as a stark reminder of the increasing sophistication and determination of threat actors. By exploiting legitimate tools like Cobalt Strike beacons, they continue to find innovative ways to breach security measures.
To remain vigilant against these types of attacks, organizations must invest in advanced threat detection solutions, engage in continuous monitoring, and foster a culture of cybersecurity awareness. Collaboration between industry players, governments, and international bodies may also be necessary to address these transnational threats effectively. By understanding the tactics, techniques, and procedures employed by groups like Bronze Starlight, the global community can better prepare and respond to the ever-evolving challenges of cybersecurity.
Learn more about Cobalt Strike Beacons and how to protect against them.
FAQs
What is Cobalt Strike Beacon?
Cobalt Strike Beacon is a commercial penetration testing tool often used by cybersecurity professionals. However, it can also be misused by attackers to control compromised systems, execute malicious tasks, and evade detection.
Who is the Bronze Starlight Group?
The Bronze Starlight Group, also known as Emperor Dragonfly or Storm-0401, is a threat actor believed to be originating from China. They are known for using sophisticated techniques, including Cobalt Strike Beacons, to target specific sectors and conceal their espionage motives.
How are Cobalt Strike Beacons being used in this attack?
In this campaign, the attackers have been abusing legitimate executables like Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan, making them vulnerable to DLL hijacking. They use this technique to decrypt and execute Cobalt Strike Beacons, gaining control over compromised systems.
What sectors are targeted by this attack?
The primary target of this attack is the Southeast Asian gambling sector. The narrow focus of the attacks and the techniques employed suggest a coordinated and targeted approach.
Why is this attack significant?
This attack showcases the complex and interconnected nature of Chinese threat actors and their ability to exploit and manipulate legitimate tools for malicious purposes. It also highlights the ongoing threat to sectors that may have vulnerabilities in their cybersecurity infrastructure.
Are there any overlaps with other known cyber activities?
Yes, this campaign exhibits overlaps with an intrusion set monitored by ESET under the name Operation ChattyGoblin. It shares commonalities with other China-based groups and activities, illustrating the intricate Chinese threat landscape.
How can businesses protect themselves against such attacks?
Businesses can defend against these types of attacks by keeping their software up to date, implementing robust cybersecurity measures, monitoring for unusual activities, and educating employees about cybersecurity best practices. Engaging with professional cybersecurity firms for regular assessments and penetration testing can also be valuable.
Have any protective measures been taken against this specific threat?
Yes, some countermeasures have been implemented, such as the revocation of a certificate used in the attack by Digitcert in June 2023. However, the constantly evolving tactics of threat actors mean that ongoing vigilance and adaptation are necessary.
Kevin Bong was formerly the Director of Corporate Security for Johnson Financial Group, and currently works as an Information Assurance Consultant for SynerComm, Inc.Β Kevin has a BS in Physics and Computer Science from Carroll University, an MS in Information Security Engineering from the SANS Institute, and has earned multiple certifications including PMP and GIAC GSE.Β Kevin is also an amateur astronomer, beekeeper, an author and instructor, and a pretty neat dad. Prior to Impulsec, Kevin workedΒ a Penetration Testing “Drop Box” project similar to the Pwnie Express called the MiniPwner.