China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons

An ongoing cyber attack campaign originating from China is targeting the Southeast Asian gambling sector to deploy Cobalt Strike beacons on compromised systems.

Cybersecurity firm SentinelOne said the tactics, techniques, and procedures point to the involvement of a threat actor tracked as Bronze Starlight (aka Emperor Dragonfly or Storm-0401), which has been linked to the use of short-lived ransomware families as a smokescreen to conceal its espionage motives.

“The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons,” security researchers Aleksandar Milenkoski and Tom Hegel said in an analysis published today.

It also bears noting that the campaign exhibits overlaps with an intrusion set monitored by ESET under the name Operation ChattyGoblin. This activity, in turn, shares commonalities with a supply chain attack that came to light last year leveraging a trojanized installer for the Comm100 Live Chat application to distribute a JavaScript backdoor.

Attribution to an exact group remains a challenge due to the interconnected relationships and the extensive infrastructure and malware sharing prevalent among various Chinese nation-state actors.

The attacks are known to employ modified installers for chat applications to download a .NET malware loader that’s configured to retrieve a second-stage ZIP archive from Alibaba buckets.

The ZIP file consists of a legitimate executable vulnerable to DLL search order hijacking, a malicious DLL that gets side-loaded by the executable when started, and an encrypted data file named agent.data.

Specifically, this entails the use of Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables that are susceptible to DLL hijacking to decrypt and execute code embedded in the data file, which implements a Cobalt Strike beacon.

“The loader is executed through side-loading by legitimate executables vulnerable to DLL hijacking and stages a payload stored in an encrypted file,” the researchers pointed out.

SentinelOne said one of the .NET malware loaders (“AdventureQuest.exe”) is signed using a certificate issued to a Singapore-based VPN provider called Ivacy VPN, indicating the theft of the signing key at some point. Digitcert has since revoked the certificate as of June 2023.

The side-loaded DLL files are HUI Loader variants, a custom malware loader that has been widely used by China-based groups such as APT10, Bronze Starlight, and TA410. APT10 and TA410 are said to share behavioral and tooling overlaps with each other, with the former also related to another cluster referred to as Earth Tengshe.

“China-nexus threat actors have consistently shared malware, infrastructure, and operational tactics in the past, and continue to do so,” the researchers said, adding the activities “illustrate the intricate nature of the Chinese threat landscape.”