APT27

APT27 is a threat actor that specializes in espionage through deploying custom and third-party RATs, backdoor Trojans and spyware. Their attacks may initiate through fake e-mail documents, watering hole attacks on target-relevant websites, or various means of breaching login credentials remotely. Users should monitor their networks and devices through appropriate anti-malware solutions and always remove threats related to APT27's attacks as soon as possible.

A Master of RATs with a Whole Pack at Its Disposal

Particularly skilled threat actors will make appropriate use of both homebrew-style software and third-party tools, or even standard LOLbin features, for compromising and retaining their victims. APT27 offers a multitude of examples in all of these strategies, as an intelligence-harvesting team not dissimilar to China's APT10 or Russia's Turla APT. Users on the other end of their attacks have limited opportunities for noticing anything unusual due to the deposited threats having well-thought-out stealth behavior.

Attacks by APT27 are worldwide, although a campaign in Asia warrants special mention for hacking government websites and converting them into corrupted JavaScript hosts. The group's routine also stresses long-term control over PCs and networks, with attackers rechecking up on credentials, data, and system changes over months periodically, and adapting with selective deployments of living-off-the-land utilities, third-party Trojans, or unique 'in-house' threats. In most cases, Trojans related to APT27 will hide in memory through injection and give remote attackers remote administrative control.

Some samples of especially important Trojans in APT27 attacks include:

• HyperBro is unique to APT27 and provides Remote Access Trojan (RAT) style features for controlling the PC with a remote interface. SysUpdate is a similar RAT, also only from this group, and deploys in multiple stages. Both of the Trojans can provide file-uploading/downloading, a shell for delivering commands, or more specialized attacks, like taking screenshots.
• For contrast, the Gh0st RAT is the same general category as the previous two programs, but is an 'open source' program. APT27, however, modifies its code somewhat while taking advantage of fake headers for network traffic-concealment. An alternative Trojan with the same 'dark Web' sources is ZxShell.
• As a third example, China Chopper is uniquely-structured for not requiring a direct C&C connection to the criminals' server. It also, unlike some similar APT27 tools, has a built-in possibility for its propagation: brute-forcing credentials for logging into accounts. Such an attack could let APT27 expand its access within networks and to associated devices.
• The PlugX backdoor Trojan is another 'shared' tool that, often, associates with China-based threat actors besides APT27, such as Axiom (APT41).
• Like the STOP Ransomware or the Ekati Ransomware campaigns, Mimikatz also makes an appearance with these attackers. This program is spyware that exfiltrates credentials such as passwords.

This list is interpretative rather than exhaustive, and victims should assume that new attacks will come with further updates as necessary for APT27's maintaining an invisible stranglehold on their targets.

The Anti-Spy Protection that's Relevant to Any Business

APT27, whose colorful aliases include LuckyMouse and BRONZE UNION, targets traditionally 'valuable' entities around the world, such as manufacturing companies, defense contractors or governments. Users in an at-risk environment can implement a multi-step approach to defense that will protect against the usual infection strategies that these hackers employ. Scanning e-mail-attached documents and spreadsheets, disabling macros, and using strong passwords are some of the general recommendations.

Infection vectors may disguise corrupted files and links with relatively intricate methods, including digital signatures referring to legitimate organizations that are of relevance to the target. Since APT27 also is a noted 'watering hole' style attacker, users also should attend to their browser's security, and turn off functions like JavaScript on a domain-by-domain basis. Software patches also are essential for reducing APT27's available remote code execution exploits promptly.

Although their attribution isn't definitive, APT27 operates as equivalent to a government-funded group, and rarely deploys tools that are visible to the user casually. A particularly unorthodox means of DLL side-loading, for example, involves APT27's using a variant of Kaspersky AV software. Anti-malware products and related security services, such as firewalls, may help with detecting and removing threats from APT27 automatically or flagging made-up traffic and other IoCs.

Although predicting what APT27 will do next isn't easy, the chances are good that it will involve taking information that doesn't belong to them. Administrators and workers, in general, should always keep their eyes wide open to any possible drive-by-downloads, which are the most natural time for spotting a RAT campaign.