Free Phone Consultation For New Clients | CONTACT NOW

BRONZE STARLIGHT Ransomware Operations Use HUI Loader

Since at least 2015, threat actors have used HUI Loader to load remote access trojans (RATs) on compromised hosts. Secureworks® Counter Threat Unit™ (CTU) researchers link two HUI Loader activity clusters exclusively to China-based threat groups. The BRONZE RIVERSIDE threat group is likely responsible for one cluster, which focuses on stealing intellectual property from Japanese organizations. The other cluster involves deployment of LockFile, AtomSilo, Rook, Night Sky, and Pandora post-intrusion ransomware. CTU™ researchers attribute this activity to the Chinese BRONZE STARLIGHT threat group.

The BRONZE STARLIGHT threat group is also suspected of using HUI Loader to deploy Hidden Tear. This threat is a variant of the Hacking Team (previously listed as Tinba) RANSOMARE ransomware, which was active in the first half of 2017.

Although the actor behind BRONZE STARLIGHT has not been specifically identified, this group's actions align with those of other Chinese threat actors. BRONZE STARLIGHT's activity focuses on stealing intellectual property from Japanese organizations and taking steps to steal cryptocurrency from victims. The group follows a specific pattern that involves gaining access through spear phishing emails and/or malware implants on compromised laptops. Once inside the internal networks of targeted organizations, BRONZE STARLIGHT can move laterally and attempt further compromises.

HUI Loader is a malware loader that allows threat actors to customize payloads to meet their specific needs. HUI Loader runs on 32-bit Windows hosts and loads malware through an encrypted channel. After identifying an infected host, threat actors usually deploy HUI Loader to retrieve the final payload from a remote server. Ransomware is often delivered using this technique because it allows the threat actors to update their binaries as needed. In addition, since the payload is delivered via HUI Loader, no one else will be able to download it from the same server.

Source: BRONZE STARLIGHT Ransomware Operations Use HUI Loader - AlienVault - Open Threat Exchange

Need secure managed IT services in the Greenville, SC, area?