New cyber security research suggests the emergence of a new threat of Chinese origin. It has been linked to a series of 10 attacks targeting Russia, the United States, Canada, Belarus, and Mongolia from January to July 2021. The cyber attack was done using a remote access trojan (RAT) on infected systems, said researchers.

These cyber attacks have been attributed to an advanced persistent threat named APT31 (FireEye), which is tracked by the cybersecurity community under the monikers Judgement Panda (CrowdStrike), Zirconium (Microsoft), and Bronze Vinewood (Secureworks).

According to FireEye, APT31 is a “China-nexus cyber espionage actor focused on obtaining information that can provide the Chinese government and state-owned enterprises with political, economic, and military advantages”.

According to a report from Positive Technologies, hackers used a new malware dropper to facilitate the attacks, including the retrieval of next-stage encrypted payloads from a remote command-and-control server, which are subsequently decoded to execute the RAT.

The malicious code comes with the capacity to download other malware, thus putting the affected victims at greater risk; and while performing file operations, it uploads sensitive data to its server, and then delete itself from the compromised machine.

“The code for processing the [self-delete] command is particularly intriguing: all the created files and registry keys are deleted using a bat-file,” said Positive Technologies researchers Denis Kuvshinov and Daniil Koloskov.

What is very interesting are the malware’s similarities to that of a trojan named DropboxAES RAT which was used by APT31 in 2020; it relies on Dropbox for its command-and-control (C2) communications, with numerous overlaps found in the techniques and mechanisms used to inject the attack code, achieve persistence, and the mechanism employed to delete the espionage tool. “The revealed similarities with earlier versions of malicious samples described by researchers, such as in 2020, suggest that the group is expanding the geography of its interests to countries where its growing activity can be detected, Russia in particular,” concluded the researchers.