Unusual attack linked to Chinese APT group combines espionage and ransomware
Researchers have observed a ransomware actor deploying a variant of the PlugX cyberespionage toolset, traditionally associated with Chinese APT groups, against a medium-sized software and services company in South Asia. This attack, which culminated in the deployment of the RA World ransomware and a $2-million ransom demand, is notable due to the unusual blending of cyberespionage and ransomware tactics, a combination more commonly seen with North Korean threat actors.
According to Symantec researchers, the most plausible explanation is that an individual affiliated with a Chinese espionage group exploited their access to the group’s toolkit for personal financial gain. This theory is supported by the use of a specific PlugX variant previously linked to the Chinese APT group known as Mustang Panda, Earth Preta, Fireant, or PKPLUG.
The PlugX remote access trojan, in use since 2008, is exclusive to Chinese state-sponsored APT groups. In this incident, the malware was delivered through DLL sideloading, using a legitimate Toshiba executable (toshdpdb.exe) to load a malicious DLL (toshdpapi.dll), which decrypted and executed the PlugX payload from a file named TosHdp.dat.
The attacker claimed to have compromised the company’s network by exploiting a known vulnerability (CVE-2024-0012) in Palo Alto's PAN-OS firewall software. After obtaining administrative credentials from the company's intranet and Amazon S3 cloud credentials from its Veeam server, the attacker exfiltrated data before deploying the RA World ransomware.
RA World, initially known as RA Group, emerged in 2023 and has targeted organizations across the US, Europe, and Southeast Asia, with the US being the most affected. The manufacturing sector has been the primary target, followed by transportation, logistics, retail, insurance, pharmaceuticals, and healthcare.
While the fusion of cyberespionage and ransomware operations is rare due to their conflicting objectives, historical precedents exist. Chinese APT41, also known as Winnti, Barium, and Wicked Panda, exemplifies this overlap. Operating under the front company Chengdu 404 Network Technology, APT41 has engaged in both intelligence collection and financially motivated attacks, particularly in the online gaming industry.
North Korean APT groups frequently engage in financially motivated cybercrime to fund the regime, including cryptocurrency theft and ransomware attacks. Similarly, Russian intelligence agencies have increasingly collaborated with cybercriminal groups, particularly since the invasion of Ukraine.
This case highlights the evolving landscape of cyber threats, where financial motivations are increasingly intersecting with state-sponsored cyberespionage efforts.
For Reference :