These hackers are spreading ransomware as a distraction - to hide their cyber spying

Five ransomware strains have been linked to Bronze Starlight activities.
Written by Charlie Osborne, Contributing Writer
Image: Shutterstock / BLACKDAY

A group of likely state-backed cyber attackers have adopted a new loader to spread five different kinds of ransomware in a bid to hide their true espionage activities.

On Thursday, cybersecurity researchers from Secureworks published new research on HUI Loader, a malicious tool that criminals have used widely since 2015.

Loaders are small, malicious packages designed to stay undetected on a compromised machine. While often lacking much functionality as independent malware, they have one crucial task: to load and execute additional malicious payloads.

SEE: Phishing gang that stole millions by luring victims to fake bank websites is broken up by police

HUI Loader is a custom DLL loader that can be deployed by hijacked legitimate software programs susceptible to DLL search order hijacking. Once executed, the loader will then deploy and decrypt a file containing the main malware payload.

In the past, HUI Loader was used in campaigns by groups including APT10/Bronze Riverside – connected to the Chinese Ministry of State Security (MSS) – and Blue Termite. The groups have deployed remote access trojans (RATs) including SodaMaster, PlugX, and QuasarRAT in previous campaigns.

Now, it appears that the loader has been adapted to spread ransomware.

According to Secureworks' Counter Threat Unit (CTU) research team, two activity clusters related to HUI Loader have been connected to Chinese-speaking threat actors.

The first cluster is suspected of being the work of Bronze Riverside. This hacking group focuses on stealing valuable intellectual property from Japanese organizations and uses the loader to execute the SodaMaster RAT.

The second, however, belongs to Bronze Starlight. SecureWorks believes that the threat actors' activities are also tailored for IP theft and cyber espionage.

Targets vary depending on what information the cyber criminals are trying to obtain. Victims include Brazilian pharmaceutical companies, a US media outlet, Japanese manufacturers, and a major Indian organization's aerospace and defense division.

SEE: Ransomware attacks: This is the data that cyber criminals really want to steal

This group is the more interesting out of the two as they deploy five different kinds of ransomware post-exploit: LockFile, AtomSilo, Rook, Night Sky, and Pandora. The loader is used to deploy Cobalt Strike beacons during campaigns, which create a remote connection, and then a ransomware package is executed.

CTU says that the threat actors have developed their versions of the ransomware from two distinct code bases: one for LockFile and AtomSilo, and the other for Rook, Night Sky, and Pandora.

"Based on the order in which these ransomware families appeared starting in mid-2021, the threat actors likely first developed LockFile and AtomSilo and then developed Rook, Night Sky, and Pandora," the team says.

Avast has released a decryptor for LockFile and AtomSilo. When it comes to the other ransomware variants, it appears that they are all based on Babuk source code.


The loader has also been recently updated. In March, the cybersecurity researchers found a new version of HUI Loader that uses RC4 ciphers to decrypt the payload. The loader also now utilizes enhanced obfuscation code to try and disable Windows Event Tracing for Windows (ETW), Antimalware Scan Interface (AMSI) checks, and tamper with Windows API calls.

"While Chinese government-sponsored groups have not historically used ransomware, there is precedent in other countries," SecureWorks says. "Conversely, Chinese government-sponsored groups using ransomware as a distraction would likely make the activity resemble financially motivated ransomware deployments. However, the combination of victimology and the overlap with infrastructure and tooling associated with government-sponsored threat group activity indicate that Bronze Starlight may deploy ransomware to hide its cyberespionage activity."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards