APT27 is a threat actor that specializes in espionage through deploying custom and third-party RATs, backdoor Trojans and spyware. Their attacks may initiate through fake e-mail documents, watering hole attacks on target-relevant websites, or various means of breaching login credentials remotely. Users should monitor their networks and devices through appropriate anti-malware solutions and always remove threats related to APT27's attacks as soon as possible.
A Master of RATs with a Whole Pack at Its Disposal
Particularly skilled threat actors will make appropriate use of both homebrew-style software and third-party tools, or even standard LOLbin features, for compromising and retaining their victims. APT27 offers a multitude of examples in all of these strategies, as an intelligence-harvesting team not dissimilar to China's APT10 or Russia's Turla APT. Users on the other end of their attacks have limited opportunities for noticing anything unusual due to the deposited threats having well-thought-out stealth behavior.
Some samples of especially important Trojans in APT27 attacks include:
- HyperBro is unique to APT27 and provides Remote Access Trojan (RAT) style features for controlling the PC with a remote interface. SysUpdate is a similar RAT, also only from this group, and deploys in multiple stages. Both of the Trojans can provide file-uploading/downloading, a shell for delivering commands, or more specialized attacks, like taking screenshots.
- For contrast, the Gh0st RAT is the same general category as the previous two programs, but is an 'open source' program. APT27, however, modifies its code somewhat while taking advantage of fake headers for network traffic-concealment. An alternative Trojan with the same 'dark Web' sources is ZxShell.
- As a third example, China Chopper is uniquely-structured for not requiring a direct C&C connection to the criminals' server. It also, unlike some similar APT27 tools, has a built-in possibility for its propagation: brute-forcing credentials for logging into accounts. Such an attack could let APT27 expand its access within networks and to associated devices.
- The PlugX backdoor Trojan is another 'shared' tool that, often, associates with China-based threat actors besides APT27, such as Axiom (APT41).
- Like the STOP Ransomware or the Ekati Ransomware campaigns, Mimikatz also makes an appearance with these attackers. This program is spyware that exfiltrates credentials such as passwords.
This list is interpretative rather than exhaustive, and victims should assume that new attacks will come with further updates as necessary for APT27's maintaining an invisible stranglehold on their targets.
The Anti-Spy Protection that's Relevant to Any Business
APT27, whose colorful aliases include LuckyMouse and BRONZE UNION, targets traditionally 'valuable' entities around the world, such as manufacturing companies, defense contractors or governments. Users in an at-risk environment can implement a multi-step approach to defense that will protect against the usual infection strategies that these hackers employ. Scanning e-mail-attached documents and spreadsheets, disabling macros, and using strong passwords are some of the general recommendations.
Although their attribution isn't definitive, APT27 operates as equivalent to a government-funded group, and rarely deploys tools that are visible to the user casually. A particularly unorthodox means of DLL side-loading, for example, involves APT27's using a variant of Kaspersky AV software. Anti-malware products and related security services, such as firewalls, may help with detecting and removing threats from APT27 automatically or flagging made-up traffic and other IoCs.
Although predicting what APT27 will do next isn't easy, the chances are good that it will involve taking information that doesn't belong to them. Administrators and workers, in general, should always keep their eyes wide open to any possible drive-by-downloads, which are the most natural time for spotting a RAT campaign.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to APT27 may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.