On the 23rd of June 2022, cybersecurity researchers from Secureworks published new research which named several ransomware variants which have been identified as being used by a state-backed hacking group with China-linked origins known as ‘Bronze Starlight’ to disguise the true objective of their attacks that is for conducting cyberespionage activities. The research looked into HUI Loader, which is a malicious tool that criminals have used widely since 2015.
HUI Loader is a custom DLL loader that can be deployed by hijacked legitimate software programs susceptible to DLL search order hijacking. Once executed, the loader will then deploy and decrypt a file containing the main malware payload. HUI Loaders have been used by many threat groups before including APT10, Bronze Riverside and Blue Termite. But based on the research by Secureworks’ Counter Threat Unit (CTU) research team, two activity clusters have been included.
The first cluster has been linked to Bronze Riverside which is known for having a focus on stealing valuable intellectual property from Japanese organisations. But the second cluster has been linked to another China-linked group, Bronze Starlight which seems to have a focus on IP theft and cyber espionage. Victims of these two groups have included Brazilian pharmaceutical companies, a US media outlet, Japanese manufacturers, and a major Indian organization’s aerospace and defence division.
The research also revealed that Bronze Starlight has deployed five different kinds of ransomware during their campaigns: LockFile, AtomSilo, Rook, Night Sky, and Pandora. It is believed that they developed their ransomware variants from two distinct code bases: one for LockFile and AtomSilo, and the other for Rook, Night Sky, and Pandora. Avast has released a decryptor for LockFile and AtomSilo. When it comes to the other ransomware variants, it appears that they are all based on Babuk source code.