A new custom DLL loader, dubbed HUI Loader, was used in recent cyberattack campaigns performed by state-backed groups, which involved spreading five ransomware strains to conceal their true intents of spying.
The use of the HUI Loader in this latest report allowed the state-backed attackers to stay undetected despite the loader having already been launched onto a compromised device. These loaders often have the crucial task of executing more payloads once they are inside the victims’ servers.
Usually, the HUI Loader is deployed by its operators through hacked software programs vulnerable to DLL search order hijacking. Upon execution on the compromised device, the loader will begin to process its launching of the main malware payload.
Two Chinese-based groups are attributed to the latest cybercriminal campaign using the custom loader HUI.
Several state-backed groups, such as Bronze Riverside and Blue Termite, had utilised the HUI Loader in their attacks to deploy remote access trojans (RAT) against their targeted victims. This time, the same custom loader is used to spread ransomware as a form of distraction to launch cyberespionage attacks.
Security researchers have attributed the latest campaign to Chinese-speaking groups, including Bronze Riverside and Bronze Starlight. According to the studies conducted on the two threat groups, Bronze Riverside is an expert in stealing intellectual properties from Japan-based victims, while Bronze Starlight is also an expert in stealing intellectual properties and spying.
Previous victims recorded for Bronze Starlight include a US media outlet, an Indian organisation’s aerospace and defence division, Japanese manufacturers, and Brazilian pharmaceutical firms. This group uses the HUI Loader to launch Cobalt Strike beacons and create a remote connection from their C2, which leads to the execution of ransomware payloads.
The five ransomware strains deployed in the campaigns include LockFile, AtomSilo, Night Sky, Rook, and Pandora. The researchers explained that these ransomware variants had been upgraded with the threat groups’ versions using two different code bases, including one for LockFile and AtomSilo, and one for Rook, Night Sky, and Pandora.
An upgraded version of the HUI Loader was also identified last March, wherein it uses RC4 stream cyphers to decrypt the payload. The loader’s operators also upgraded its code to attempt to disable Windows Event Tracing for Windows (ETW), Antimalware Scan Interface (AMSI) checks, and rig with Windows API calls.
