China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

2023-08-17 15:40

An ongoing cyber attack campaign originating from China is targeting the Southeast Asian gambling sector to deploy Cobalt Strike beacons on compromised systems.

"The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons," security researchers Aleksandar Milenkoski and Tom Hegel said in an analysis published today.

Attribution to an exact group remains a challenge due to the interconnected relationships and the extensive infrastructure and malware sharing prevalent among various Chinese nation-state actors.

The ZIP file consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets side-loaded by the executable when started, and an encrypted data file named agent.

Specifically, this entails the use of Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables that are susceptible to DLL hijacking to decrypt and execute code embedded in the data file, which implements a Cobalt Strike beacon.

The side-loaded DLL files are HUI Loader variants, a custom malware loader that has been widely used by China-based groups such as APT10, Bronze Starlight, and TA410.

News URL

https://thehackernews.com/2023/08/china-linked-bronze-starlight-group.html

#china #cobalt