China Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/china/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Fri, 05 Jan 2024 02:59:49 +0000 en-US hourly 1 https://wordpress.org/?v=64164 200474804 Qilin Ransomware Focuses on VMware ESXi Servers https://gridinsoft.com/blogs/qilin-ransomware-vmware-esxi/ https://gridinsoft.com/blogs/qilin-ransomware-vmware-esxi/#respond Tue, 05 Dec 2023 14:50:06 +0000 https://gridinsoft.com/blogs/?p=18149 In a disturbing development, security researchers have uncovered a Linux version of the Qilin ransomware gang’s encryptor, specifically tailored to target VMware ESXi servers. This encryptor is one of the most advanced and customizable Linux encryptors observed. Qilin Targets VMware ESXi Today, more and more businesses are adopting virtualization technologies for server hosting. For example,… Continue reading Qilin Ransomware Focuses on VMware ESXi Servers

The post Qilin Ransomware Focuses on VMware ESXi Servers appeared first on Gridinsoft Blog.

]]>
In a disturbing development, security researchers have uncovered a Linux version of the Qilin ransomware gang’s encryptor, specifically tailored to target VMware ESXi servers. This encryptor is one of the most advanced and customizable Linux encryptors observed.

Qilin Targets VMware ESXi

Today, more and more businesses are adopting virtualization technologies for server hosting. For example, VMware ESXi has become popular due to its effectiveness. However, attackers have quickly adapted to this trend and developed specialized encryptors to compromise these virtualized servers. While many ransomware operations use existing source codes, others use encryptors specifically for Linux servers. Thus, a recent discovery has revealed a Linux ELF64 encryptor for Qilin. It’s highlighting its adaptability across Linux, FreeBSD, and VMware ESXi servers.

Qilin ransomware command line
The list of command line options for Qilin ransomware

Qilin’s encryptor has embedded configurations that dictate file extension, process termination, file inclusion or exclusion, and folder encryption or exclusion. It also strongly emphasizes virtual machines that go beyond mere file encryption. The Qilin encryptor grants threat actors vast customization capabilities. These options range from enabling debug modes and performing dry runs to tailoring the encryption of virtual machines and their snapshots. Moreover, the encryptor allows threat actors to specify a list of virtual machines exempted from encryption.

What is Qilin Ransomware?

Initially launching as Agenda ransomware in August 2022, the Qilin ransomware operation rebranded in September and has been active under its current name. It is one of a few malware written in Golang, which can possibly grant it with some enhanced anti-detection capabilities. Running the typical modus operandi of enterprise-targeting ransomware, Qilin infiltrates networks, exfiltrates data, and subsequently deploys ransomware to encrypt all connected devices. Ransomware operation of the group has maintained a consistent victim count since its inception. However, it has notably intensified its activities in late 2023. Employing double-extortion tactics, the threat actors leverage stolen data and encrypted files to coerce victims into meeting ransom demands.

As for targets, Qilin opt for enterprises and high-value companies. It focuses on organizations in the healthcare and education sectors in Africa and Asia. TAs gain initial access using spear phishing and known exploitable apps/hardware pieces, such as Citrix and remote desktop protocol (RDP). The encryption setting supports several encryption modes that the ransomware operator can configure.

Safety Recommendations

Here are a few ways you can identify Agenda ransomware in your network:

  • Employees Education & Training. The most effective method is to train employees in the basics of cyber hygiene. Forewarned is forearmed.
  • Data Backup. The following measure is to back up your data regularly, offline if possible. This will prevent the offline data copies from being corrupted and help restore the data without much effort.
  • Security Tools. We recommend using security tools that use signatures, heuristics, or AI algorithms to identify and block suspicious files or activities. It can detect and block known ransomware variants.
  • Network Traffic. Monitoring network traffic for any signs of compromise, such as unusual traffic patterns or communication with known command-and-control servers, allows the detection of suspicious activity.
  • Security Audits. We recommended regular security audits and assessments to identify network and system vulnerabilities to maintain up-to-date protection.

Qilin Ransomware Focuses on VMware ESXi Servers

The post Qilin Ransomware Focuses on VMware ESXi Servers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/qilin-ransomware-vmware-esxi/feed/ 0 18149
PlugX malware attacks European diplomats https://gridinsoft.com/blogs/plugx-malware-europe/ https://gridinsoft.com/blogs/plugx-malware-europe/#respond Thu, 06 Jul 2023 15:20:18 +0000 https://gridinsoft.com/blogs/?p=15732 Over the past few months, researchers have been monitoring the activity of a Chinese threat actor using PlugX malware to target foreign and domestic policy entities and embassies in Europe. This is a more significant trend among Chinese-based groups increasingly focusing on European entities, particularly their foreign policy. The countries most targeted in this campaign… Continue reading PlugX malware attacks European diplomats

The post PlugX malware attacks European diplomats appeared first on Gridinsoft Blog.

]]>
Over the past few months, researchers have been monitoring the activity of a Chinese threat actor using PlugX malware to target foreign and domestic policy entities and embassies in Europe. This is a more significant trend among Chinese-based groups increasingly focusing on European entities, particularly their foreign policy. The countries most targeted in this campaign are Central and Eastern European countries such as Slovakia, the Czech Republic, and Hungary. Key target of these attacks is likely obtaining sensitive information about their foreign policies. The UK is the only country that is away from Europe’s center or east, targeted so far.

HTML smuggling as a method to bypass network detection.

The PlugX activity targets foreign policy entities in Europe, mainly Eastern Europe, by using HTML Smuggling. HTML Smuggling is a method used by hackers to conceal harmful payloads within HTML documents. The SmugX email campaign uses HTML Smuggling to download a JavaScript or a ZIP file. This creates a long infection chain that ultimately results in the victim being infected with PlugX.

HTML smuggling
Scheme of the HTML smuggling

Adversaries have used HTML smuggling for a while. Still, it has become more common since Microsoft blocked other popular methods of sneaking malware onto systems, like default-blocking macros in Word documents.

HTML smuggling employs HTML5 attributes that can work offline by storing a binary in an immutable blob of data within JavaScript coderesearchers

Lure for European politicians

The Attackers primarily focused on European domestic and foreign policy and were mainly used by Eastern and Central European governmental organizations.

The SmugX submissions origins
The SmugX submissions origins

Most of the documents found had content related to diplomacy, with some specifically concerning China and human rights. Furthermore, the names of the files imply that the targets were likely government officials and diplomats.

Lures PlugX
Screen of documents contained diplomatic-related content

Attack on the European government

The attackers implemented HTML smuggling to enable downloading a JavaScript or ZIP file onto a compromised system. In the case of a ZIP archive, it includes a harmful LNK file that triggers PowerShell. On the other hand, if a JavaScript file is utilized, it will download and activate an MSI file from the attackers’ server.

After infecting a system, the DLL decrypts the PlugX malware. This malware can conduct several harmful activities, such as capturing screenshots, logging keystrokes, executing commands, and extracting files. A legitimate executable is hijacked and downloaded during the infection process to ensure that the malware remains on the system. The malware then duplicates the fair program and DLL, storing them in a hidden directory. The malware adds the legitimate program to the Run registry key to maintain persistence.

Is it possible to evade PlugX infection?

Potential targets of such attacks must prioritize defense. In a significant cyber attack, resetting the organization’s cyber security approach and posture is recommended. Every organization must reflect on its actions and decisions following a considerable spell. Though, it should be a lesson not only for governmental services but also for companies.

  • Regularly update the systems. It is essential to regularly update your operating systems, software, and applications with the latest security patches and updates to fix known vulnerabilities.
  • To enhance your security measures, it is necessary to revamp the cybersecurity training provided to government officials.
  • A unique role for such organizations is the Zero Trust principles, so you can completely change the state of affairs in security.
  • Implementing strict access controls such as strong passwords, multi-factor authentication (MFA), and role-based access control is essential to prevent unauthorized access to sensitive data and systems.

To minimize the risk of attacks, companies should implement various security measures. These include adopting robust security strategies, such as the Zero Trust model, regularly updating and patching systems, providing thorough security awareness training, implementing strict access controls, segmenting networks, using advanced threat detection tools, regularly backing up data, conducting security assessments, and utilizing third-party security services. By taking these steps, companies can significantly reduce their vulnerability to attacks.

The post PlugX malware attacks European diplomats appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/plugx-malware-europe/feed/ 0 15732
Russian Organizations Under Attack By Chinese APTs https://gridinsoft.com/blogs/chinese-apts-increasingly-target-russian-organizations/ https://gridinsoft.com/blogs/chinese-apts-increasingly-target-russian-organizations/#respond Fri, 08 Jul 2022 16:03:44 +0000 https://gridinsoft.com/blogs/?p=9250 Unveiling a recent cyber saga, the experts at SentinelLabs have unearthed a menacing digital force, strategically honing in on Russian organizations. In their detective work, they’ve traced the sinister trail back to the notorious Chinese APT group, a revelation corroborated by the vigilant eyes at Ukraine CERT (CERT-UA). The plot thickens as the adversaries deploy… Continue reading Russian Organizations Under Attack By Chinese APTs

The post Russian Organizations Under Attack By Chinese APTs appeared first on Gridinsoft Blog.

]]>
Unveiling a recent cyber saga, the experts at SentinelLabs have unearthed a menacing digital force, strategically honing in on Russian organizations. In their detective work, they’ve traced the sinister trail back to the notorious Chinese APT group, a revelation corroborated by the vigilant eyes at Ukraine CERT (CERT-UA).

The plot thickens as the adversaries deploy cunning tactics, leveraging phishing emails as Trojan horses, delivering malevolent Office documents armed with Bisonal—the underworld’s go-to Remote Access Trojan (RAT). Like a cyber echo, these same techniques reverberated across borders, targeting unsuspecting victims in Pakistani organizations, a sinister symphony meticulously observed by the sharp minds at SentinelLabs.

In the grand theater of digital warfare, China takes center stage, orchestrating a myriad of campaigns against Russia, a retaliatory crescendo following its invasion of Ukraine.

On June 22nd 2022 CERT-UA made a public release of Alert #4860 that presents several documents built with the help of Royal Road malicious document builder and constructed to reflect Russian government interests. Specialists from SentinelLabs analyzed further the report by CERT-UA and confirmed the involvement of a Chinese APT group.

Chinese APTs Increasingly Target Russian Organizations
One Of Malicious Documents Distributed In A Campaign – Russia Telecom Theme – “Пояснительная записка к ЗНИ.doc”
Chinese APTs Increasingly Target Russian Organizations
Translation Of The Previous Document Example

The malicious activity comes amidst other Chinese attacks against Russia such as Space Pirates, Mustang Panda, Scarab, but here it is separate Chinese activity. The specific actor’s identity is unclear so far, although it remains clear that Chinese APT groups aim to target a wide range of different Russian organizations.

Who may be behind the attack?

SentinelLabs specialists speculate that the Tonto Team APT (“Earth Akhlut”, “CactusPete”) group, reported for nearly a decade, might be the potential culprit behind the attacks. However, they emphasize that it is premature to draw definitive conclusions based on the current available data.

The malicious documents are generally used for the delivery of custom malware, such as the Bisonal RAT, which as noted by CERT-UA, is unique to Chinese groups, including Tonto Team. Bisonal has a uniquely long history of use and continued development by its creators, such as expanding features for file searching and exfiltration, anti-analysis and detection techniques, and maintaining generally unrestricted system control,” goes in a report published by SentinelLabs.

Tonto Team APT group also targeted multiple victims across the globe including the targets of their particular interest in Northeast Asia such as private businesses, critical infrastructure, governments, etc. The group has been particular in their interests in Russian targets for the past years but recently in this direction specialists observed a significant spike of activity.

We assess with high confidence that the Royal Road-built malicious documents, delivered malware, and associated infrastructure are attributable to Chinese threat actors. Based on our observations, there’s been a continued effort to target Russian organizations by this cluster through well-known attack methods– the use of malicious documents exploiting n-day vulnerabilities with lures specifically relevant to Russian organizations,” also goes in a report by researchers.

On the whole the purpose of the attacks seems to be espionage-related, but that’s a limited assumption because of external visibility of the researchers’ standpoint.

The post Russian Organizations Under Attack By Chinese APTs appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/chinese-apts-increasingly-target-russian-organizations/feed/ 0 9250