A Chinese cyberespionage group tracked as Bronze President has launched a new campaign targeting the computer systems of government officials in Europe, the Middle East, and South America with a modular called malware PlugX.
Threat analysts at Secureworks discovered the breach in June and July 2022, once again highlighting the hacker’s persistent focus on espionage against governments across the globe.
The researchers have identified multiple pieces of evidence including the use of PlugX, naming schemes previously employed by the hacking group, and politically-themed lure documents that align with regions that are of strategic importance to China.
“Several characteristics of this campaign indicate that it was conducted by the likely Chinese government-sponsored Bronze President threat group, including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically themed decoy documents that align with regions where China has interests,” Secureworks Counter Threat Unit (CTU) explained in a blogpost.
Attack chains distribute RAR archive files that contain a Windows shortcut (.LNK) file masquerading as a PDF document, opening which executes a legitimate file present in a nested hidden folder embedded within the archive.
Subsequently, it creates the path for installing a malicious document, while the PlugX payload sets up persistence on the exploited device.
"Bronze President has demonstrated an ability to pivot quickly for new intelligence collection opportunities," the researchers added.
"Organizations in geographic regions of interest to China should closely monitor this group's activities, especially organizations associated with or operating as government agencies."
Bronze President, also known as RedDelta, Mustang Panda, or TA416 has been active since at least July 2018 and has a history of launching espionage campaigns by employing custom and publicly available tools to exploit, maintain long-term access, and exfiltrate data from targets of interest.
The PlugX RAT continues to remain the Bronze President's preferred spying tool. The threat actor has used multiple variants of it for several years, together with other hackers originating from China.
Earlier this year in March, the hacking group targeted Russian government officials with an updated version of the PlugX backdoor called Hodur, alongside organizations located in Asia, the European Union, and the U.S.
Other than PlugX, infection chains utilized by the APT group have involved the deployment of custom stagers, reverse shells, Meterpreter-based shellcode, and Cobalt Strike, all of which are used to establish remote access to their targets with the intention of conducting espionage and information theft.