Bronze Butler – Espionage on a Plate
Bronze Butler, a cyber espionage group believed to have Chinese origins, has been engaged in activities since at least 2008.
There is evidence suggesting a strong association between the group and the Chinese National University of Defense and Technology, which may have connections to the PLA (People’s Liberation Army).
Although China has many state-sponsored, on this blog i decided to focus on Bronze Butler for two reasons: The first, the cool cover i can create for the blog of course, but the second is given that i didn’t heard about them it’s a great opportunity to learn about a new threat actor.
Victimology
This threat actor focuses on infiltrating organizations in critical infrastructure, heavy industry, manufacturing, and international relations sectors with the intention of conducting espionage.
The group’s attacks primarily target the political, media, and engineering sectors.
In addition, when observing the countries Bronze Butler targeted, it seems that most attacks are taking place in Japan, Taiwan, Hong Kong, and the United States.
Attack Patterns
In its most campaigns, Bronze Butler use spear-phishing emails and compromised a number of websites in order to infect a new wave of victims.
The group is highly selective in its approach and only appears to deploy its full range of tools once it establishes that the compromised organization is an intended target.
Tick also uses a range of hacktools to map the victim’s network and attempt to escalate privileges further.
Daserf Backdoor
One of the group’s most common malware is Daserf. Daserf is a custom-developed for use in the group’s cyberespionage campaigns.
Once installed, it establishes a remote connection to Bronze Butler’s command and control server, providing the threa group with access to the compromised computer/network.
Post Infection
Once the malware is installed, lateral movement and privilege escalation phases is initiated.
Although the group is fairly sophisticated, they use popular tools such as Mimikatz and Living-of-the-Land tools as part of their campaigns.
Command and Control
In some cases, Bronze Butler use a compromised infrastructure as their C&C, Although in most cases they rely on their own planned and maintained infrastructure.
Most of the group’s C&C servers are alive only for couple of days before each attack and die shortly after a campaign is fully executed.
The communication between the malware and the C&C infrastructure is also pretty unique in the matter that the malware changes the URL from a randomly chosen variable selected from a predefined list.
Famous Attack
In July 2015, the group compromised three different Japanese websites with a Flash exploit to mount watering hole attacks.
Visitors to these websites were infected with a downloader known as Gofarer which collects information about the compromised computer and then downloads and installs Daserf.
In addition, the group also exploited a Microsoft Office documents vulnerability. CVE-2014-4114 on this campaign.
Conclusions
Although China has more popular threat groups in their arsenal, i found Bronze Butler pretty interesting. There is a solid chance that the group has merged with another group and is today operating under a different unit/group.
Evidence suggest that the group’s latest campaign was around 2019, although i am fully convinced they are still operating these days as well.