Protecting assets, driving growth

Bronze Starlight Group: A State-Backed Cyber Espionage Campaign Disguised as Ransomware

Ransomware attacks have become a major threat to businesses and organizations around the world, disrupting their operations and demanding hefty ransoms for data recovery. However, not all ransomware attacks are motivated by financial gain. Some of them may be a cover for more sinister objectives, such as stealing sensitive information or conducting espionage.
One such example is the Bronze Starlight Group, a hacking group that has been active since mid-2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. HUI Loader is a custom malware loader that has been widely used by China-based groups such as APT10, Bronze Starlight, and TA410.
Bronze Starlight has been linked to the use of short-lived ransomware families as a smokescreen to conceal its espionage motives. The group deploys ransomware such as LockFile, Atom Silo, Rook, Night Sky, Pandora, and LockBit 2.0 to compromised networks as part of name-and-shame ransomware schemes, and posts victim names to leak sites. However, the ransomware may not be the main goal of the attack, but rather a distraction or a way to destroy evidence.
According to Microsoft, Bronze Starlight is involved in all stages of the ransomware attack cycle right from initial access to the payload deployment. The group abuses Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons. Cobalt Strike is a legitimate penetration testing tool that can be used by attackers to execute commands, move laterally, and exfiltrate data.
The group also uses modified installers for chat applications to download a .NET malware loader that’s configured to retrieve a second-stage ZIP archive from Alibaba buckets. The ZIP file consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets side-loaded by the executable when started, and an encrypted data file named The data file contains code that implements a Cobalt Strike beacon.
Microsoft researchers have observed Bronze Starlight targeting the Southeast Asian gambling sector with Cobalt Strike beacons. The group may be interested in stealing customer data, financial information, or intellectual property from the gambling industry. The group may also be conducting espionage on behalf of the Chinese government, as gambling is illegal in mainland China and many Chinese nationals travel abroad to gamble.
Bronze Starlight is not the only state-backed hacking group that uses ransomware as a decoy for cyber espionage. Other examples include APT27 (aka Iron Tiger), which deployed LuckyMouse ransomware to cover its tracks after stealing data from government entities in Asia, and APT41 (aka Barium), which used NetWalker ransomware to target healthcare organizations during the COVID-19 pandemic.
The use of ransomware as a smokescreen for cyber espionage poses a serious challenge for defenders, as it complicates the incident response and recovery process. Organisations should not only focus on restoring their encrypted data, but also on investigating the scope and impact of the breach. They should also implement proactive security measures such as patching vulnerabilities, enforcing strong passwords, enabling multi-factor authentication, backing up data regularly, and educating employees on how to spot phishing emails and malicious attachments.

Leave a comment

Your email address will not be published. Required fields are marked *