A security research group has uncovered a dangerous hacking group known as Bronze President. Apparently the criminals are responsible for an extensive cyber espionage campaign targeting networks located in Asia. They are using a combination of custom code and publicly available exploits and malware against government agencies and NGOs.
What is known about the activity of the hackers is that they have started their first attacks back in 2014. According to the available reports they are probably located in the People’s Republic of China (PRC). This is based on campaign signatures which appear to correlate with the recent attacks attributed to the hackers. What is distinct about their attacks is that they use both proprietary network tools and also publicly available toolkits in order to plan and execute their intrusion attempts. At the moment the campaign appears to be targeting mainly NGOs and law enforcement and government agencies.
The Bronze President hackers will use various exploits and different techniques in order to intrude onto the target networks. As soon as this is done the malware code will elevate its privileges allowing it to execute system-wide actions. Custom batch scripts will be run for two reasons:
- Information Collection — The criminals can include an extensive list of data that is to be collected by the malware. It usually consists of personal information about the victims that can be used for crimes like identity theft and blackmail, as well as a complete profile of the infected machines. It can be used for statistical purposes or to create an unique ID that is associated with each individual computer.
- Security Bypass — This is a popular module that is found among advanced malware. It will scan the memory for processes that are identified as security programs. They are considered as dangerous to the hacker-controlled malware as they can block or stop them. To overcome them the main engine will be encrypted and can “kill” the processes before they have the chance to scan for viruses. This usually works against anti-virus programs, firewalls, sandbox environments and virtual machine hosts.
The Bronze President Attacks Are Considered as Very Dangerous
The latest attacks are concentrated against targets located in major Asian countries such as Mongolia, India and China. It appears that a significant part of the virus samples are also delivered via phishing campaigns. This is the practice of manipulating the recipients or web users into thinking that they are seeing a legitimate message from a well-known company or web service. The criminals will hijack the design, text and graphics from them and create their own fake copies. They are usually sent over email messages or hosted websites, both of which are placed on domain names that sound safe. Not only will the addresses sound similar, but the contents may also include self-signed security certificates. The analyzed samples shows that the contents and custom versions use template messages that are of interest to recipients related to national security and humanitarian efforts.
Due to the extensive attacks and the varied type of victims the security analysts rate the Bronze President group as state-sponsored. The attack campaigns are considered high-impact and the fact that new versions of the tools and custom payloads are often exhibited we anticipate that the number of compromised networks will continue to grow. At the moment we cannot judge exactly how many hosts are affected and the potential damage done so far.