APT27 group uses the HyperBro remote access trojan to inject backdoors into victim’s network

Threat Level – Red | Vulnerability Report

For a detailed advisory, download the pdf file here.

The German Federal Office for the Protection of the Constitution has warned of ongoing attacks coordinated by the Chinese cyberattack group APT27 (also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger and LuckyMouse).

The malicious campaign targets German commercial organizations where the attackers use the HyperBro remote access trojan to inject backdoors into the victims’ network. HyperBro allows hackers to persist on victim networks by acting as an in-memory backdoor with remote administration capabilities. The threat group’s goal is to steal sensitive information as well as attempt to target their victims’ customers in supply chain attacks.

APT27 has been exploiting vulnerabilities in Zoho Manage Engine AdSelf Service Plus software (CVE-2021-40539) from March 2021 until mid-September last year, and from October 25 they began to exploit the vulnerability in ServiceDesk (CVE-2021-44077). The attackers were also exploiting known vulnerabilities in Microsoft Exchange Server 2013, 2016 and 2019 proxy logon vulnerabilities(CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) used to deliver HYPERBRO.

As per the available information, during the campaign, the group successfully compromised at least nine organizations from critical sectors around the world, including defense, healthcare, energy, technology and education.

The Techniques used by the APT27 using HyperBro includes:

T1071.001: Application Layer Protocol: Web Protocols

T1574.002: Hijack Execution Flow: DLL Side-Loading

T1070.004: Indicator Removal on Host: File Deletion

T1105: Ingress Tool Transfer

T1106: Native API

T1055: Process Injection

T1113: Screen Capture

T1007: System Service Discovery

T1569.002: System Services: Service Execution