Bronze President backed by Chinese Threat Actors

China-backed cyber actors from mounting espionage campaigns on the Russian military.

Researchers from Secureworks discovered malware dubbed as Bronze President is now targeting Russian military personnel and officials.

The heavily obfuscated malicious executable being used in the campaign is designed to appear as a Russian-language PDF document pertaining to Russia’s 56th Blagoveshchenskiy Red Banner Border Guard Detachment. The file is designed so that default Windows settings do not display its .exe extension.

The executable file displays a decoy document written in English, though the filename itself is in Russian. The document appears to be legitimate and contains data pertaining to asylum applications and migratory pressure in the three countries that border Belarus Poland, Lithuania, and Latvia.

Once executed, the file downloads three additional files from a staging server. The file uses DLL search-order hijacking to import an updated version of PlugX, a remote-access Trojan (RAT) that has been previously associated with Bronze President.

Threat actors use the technique because it ensures that the malicious payload file on a compromised system is never sitting around on disk in a manner that scanners and anti-malware can detect.

The threat actors have also included a ping command that adds a significant delay before executing the legitimate signed file, a generic evasion technique to introduce a time lag while files are downloaded to the victim.

The staging server that the threat actor using in the current campaign hosts a domain that Proofpoint earlier this year linked to a PlugX campaign against diplomatic entities in Europe.

The group as being China-based and likely sponsored by or operating with the knowledge of the Chinese government. The group has been associated with numerous attacks on nongovernmental organizations and others, mostly in Asia but to some extent in other countries.