FOCUS MODE
EXTRACT IOC
MINDMAP
0Trash

China-linked Espionage Tools Used in Ransomware Attacks

Securonix
China-linked Espionage Tools Used in Ransomware Attacks
In late 2024, a sophisticated cyberattack involving the RA World ransomware targeted an Asian software and services company, using tools linked to China-based espionage actors. This attack, which included the installation of a custom PlugX backdoor, was part of a broader set of espionage efforts against various governmental and non-governmental entities. The attackers exploited vulnerabilities in the target’s systems and demanded a substantial ransom in exchange for stolen data. Affected: Asian software and services company, government ministries, telecom operators

Keypoints :

  • RA World ransomware was deployed against an Asian software and services company.
  • Tools used in the attack were previously linked to China-based espionage actors.
  • Prior attacks involved classic espionage tactics, focusing on maintaining a presence in targeted organizations.
  • Attackers compromised various government ministries in southeastern Europe and Southeast Asia before the ransomware attack.
  • The attacker claimed to exploit a known vulnerability in Palo Alto’s PAN-OS firewall software.
  • Administrative and cloud credentials were obtained to facilitate the data theft before encryption.
  • The attacker offered to reduce the ransom payment if made quickly.
  • Potential motivations include financial gain alongside espionage, which is atypical for China-based actors.

MITRE Techniques :

  • T1478 – Exfiltration Over Command and Control Channel: Exfiltrated data from Amazon S3 cloud after stealing credentials.
  • T1071.001 – Application Layer Protocol: Used HTTPS for command and control communications.
  • T1218.011 – Signed Binary Proxy Execution: Leveraged the legitimate Toshiba executable to execute malicious DLL.
  • T1106 – Native API: Used native Windows API functions for encryption and decryption of payloads.
  • T1203 – Exploitation for Client Execution: Exploited known vulnerabilities to gain initial access to the network.

Indicator of Compromise :

  • [File] toshdpdb.exe
  • [File] toshdpapi.dll
  • [File] toshdp.dat
  • [File] RA World
  • [File] NPS Proxy Tool

Full Story: https://www.security.com/threat-intelligence/chinese-espionage-ransomware

Views: 14

Tags: FIREWALL, CHINA, PAYLOAD, GOVERNMENT, CVE, EXPLOIT, INITIAL ACCESS, WINDOWS