FOCUS MODE
EXTRACT IOC
Threat Research

China-linked Espionage Tools Used in Ransomware Attacks

Symantec
China-linked Espionage Tools Used in Ransomware Attacks
A ransomware attack involving a toolset associated with China-based espionage actors targeted an Asian software and services company in late 2024. The attackers deployed the RA World ransomware while utilizing espionage tools previously linked to the Chinese threat group Fireant. The attack raised questions about the motivations behind combining espionage techniques with a ransomware campaign.
Affected: Software and services company, government ministries, telecom operators

Keypoints :

  • Tools linked to China-based espionage were used in a ransomware attack against an Asian company.
  • The attack utilized a variant of PlugX, a backdoor malware associated only with Chinese actors.
  • Attackers compromised various government entities in southeastern Europe and Southeast Asia prior to the ransomware incident.
  • The attack involved exploiting a vulnerability in Palo Alto’s PAN-OS firewall (CVE-2024-0012) to gain access.
  • The same Toshiba executable was used to sideload a malicious DLL that deploys the PlugX variant.
  • A ransom of million was demanded, reduced to million for prompt payment.
  • The relationship between espionage activities and financially motivated ransomware attacks remains unclear.
  • Indicators of compromise (IoCs) were identified, including malicious executables and associated server addresses.

MITRE Techniques :

  • TA0001: Initial Access – Exploiting a known vulnerability in Palo Alto’s PAN-OS (CVE-2024-0012).
  • TA0002: Execution – Sideloading a malicious DLL (toshdpapi.dll) using a legitimate executable (toshdpdb.exe).
  • TA0003: Persistence – Utilizing backdoors through the PlugX variant to maintain access.
  • TA0004: Credential Access – Stealing Amazon S3 cloud credentials from the victim’s Veeam server.
  • TA0005: Data Theft – Exfiltrating data from the organization’s S3 buckets.
  • TA0006: Impact – Installing RA World ransomware to encrypt the victim’s systems.

Indicator of Compromise :

  • File MD5: 7bae7f21bd4adf84eb3cc281fcc3d5fc3d1e47edd0dadd86587ce8ec63df1b8f — toshdpdb.exe
  • File SHA-256: c1e6955acdefa9769a7ae0c1abf54a26e2158154dd6ec07cc71eb06c575193d5 — toshdpapi.dll
  • File SHA-256: 18127cfd08cc49be08714d29e09ec130dcc0b19b7fcddc22c71d28fd245eb1b1 — toshdpapi.dll
  • File SHA-256: 2707612939677e8ea4709ecb4f45953d4a136a9934b6d0c256917383cdaef813 — RA World
  • Domain: plugins.jetbrians[.]net — NPS Proxy C&C

Full Story: https://symantec-enterprise-blogs.security.com/threat-intelligence/chinese-espionage-ransomware

Tags: INITIAL ACCESS, CVE, IMPACT, BACKDOOR, PAYLOAD, CREDENTIAL, CHINA, FIREWALL