APT27

Posted: May 5, 2020

APT27 Description

APT27 is a threat actor that specializes in espionage through deploying custom and third-party RATs, backdoor Trojans and spyware. Their attacks may initiate through fake e-mail documents, watering hole attacks on target-relevant websites, or various means of breaching login credentials remotely. Users should monitor their networks and devices through appropriate anti-malware solutions and always remove threats related to APT27's attacks as soon as possible.

A Master of RATs with a Whole Pack at Its Disposal

Particularly skilled threat actors will make appropriate use of both homebrew-style software and third-party tools, or even standard LOLbin features, for compromising and retaining their victims. APT27 offers a multitude of examples in all of these strategies, as an intelligence-harvesting team not dissimilar to China's APT10 or Russia's Turla APT. Users on the other end of their attacks have limited opportunities for noticing anything unusual due to the deposited threats having well-thought-out stealth behavior.

Attacks by APT27 are worldwide, although a campaign in Asia warrants special mention for hacking government websites and converting them into corrupted JavaScript hosts. The group's routine also stresses long-term control over PCs and networks, with attackers rechecking up on credentials, data, and system changes over months periodically, and adapting with selective deployments of living-off-the-land utilities, third-party Trojans, or unique 'in-house' threats. In most cases, Trojans related to APT27 will hide in memory through injection and give remote attackers remote administrative control.

Some samples of especially important Trojans in APT27 attacks include:

  • HyperBro is unique to APT27 and provides Remote Access Trojan (RAT) style features for controlling the PC with a remote interface. SysUpdate is a similar RAT, also only from this group, and deploys in multiple stages. Both of the Trojans can provide file-uploading/downloading, a shell for delivering commands, or more specialized attacks, like taking screenshots.
  • For contrast, the Gh0st RAT is the same general category as the previous two programs, but is an 'open source' program. APT27, however, modifies its code somewhat while taking advantage of fake headers for network traffic-concealment. An alternative Trojan with the same 'dark Web' sources is ZxShell.
  • As a third example, China Chopper is uniquely-structured for not requiring a direct C&C connection to the criminals' server. It also, unlike some similar APT27 tools, has a built-in possibility for its propagation: brute-forcing credentials for logging into accounts. Such an attack could let APT27 expand its access within networks and to associated devices.
  • The PlugX backdoor Trojan is another 'shared' tool that, often, associates with China-based threat actors besides APT27, such as Axiom (APT41).
  • Like the STOP Ransomware or the Ekati Ransomware campaigns, Mimikatz also makes an appearance with these attackers. This program is spyware that exfiltrates credentials such as passwords.

This list is interpretative rather than exhaustive, and victims should assume that new attacks will come with further updates as necessary for APT27's maintaining an invisible stranglehold on their targets.

The Anti-Spy Protection that's Relevant to Any Business

APT27, whose colorful aliases include LuckyMouse and BRONZE UNION, targets traditionally 'valuable' entities around the world, such as manufacturing companies, defense contractors or governments. Users in an at-risk environment can implement a multi-step approach to defense that will protect against the usual infection strategies that these hackers employ. Scanning e-mail-attached documents and spreadsheets, disabling macros, and using strong passwords are some of the general recommendations.

Infection vectors may disguise corrupted files and links with relatively intricate methods, including digital signatures referring to legitimate organizations that are of relevance to the target. Since APT27 also is a noted 'watering hole' style attacker, users also should attend to their browser's security, and turn off functions like JavaScript on a domain-by-domain basis. Software patches also are essential for reducing APT27's available remote code execution exploits promptly.

Although their attribution isn't definitive, APT27 operates as equivalent to a government-funded group, and rarely deploys tools that are visible to the user casually. A particularly unorthodox means of DLL side-loading, for example, involves APT27's using a variant of Kaspersky AV software. Anti-malware products and related security services, such as firewalls, may help with detecting and removing threats from APT27 automatically or flagging made-up traffic and other IoCs.

Although predicting what APT27 will do next isn't easy, the chances are good that it will involve taking information that doesn't belong to them. Administrators and workers, in general, should always keep their eyes wide open to any possible drive-by-downloads, which are the most natural time for spotting a RAT campaign.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to APT27 may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.