A cyber-espionage threat actor believed to operate from China relies for its activities on publicly available tools; the source code for some of them has been released as early as 2007.

Known by different names (APT27, Bronze Union, Emissary Panda, Threat Group 3390, Lucky Mouse, ZipToken, and Iron Tiger), the group has been active since at least 2013 and is interested in collecting data from political, technology, manufacturing, and humanitarian organizations.

The group is known for hacking a data center belonging to a Central Asian country and compromising government websites, and for leveraging routers to carry out its activities.

Researchers at SecureWorks Counter Threat Unit (CTU) noticed that in 2017 and 2018 the threat actor used a vast collection of tools. Even if some of them were created over a decade ago, Bronze Union added code of their own to update it for modern operations.

Old RATs can still do the trick

One of the utilities the researchers say was used by the Bronze Union group last year is ZxShell - a remote access tool (RAT) whose source code was released in 2007 by its creator, someone called "LZX."

"Although various threat actors have created different variations of the RAT, the version used by BRONZE UNION in 2018 contained some previously unobserved properties," SecureWorks notes in a report shared with BleepingComputer.

The update from the China-linked threat actor included a packet redirection tool called HTran and was signed with certificates from Hangzhou Shunwang Technology and its 2013 acquisition Shanghai Hintsoft.

Bronze Union session

Another utility, also serving Bronze Union's remote access needs is Gh0st RAT, whose source code became public in mid-2008. Several variants emerged soon after, but SecureWorks CTU believes the threat actor deployed its own modified version in a campaign in 2018.

One of the changes was to the headers of the RAT - randomizing the Gh0st RAT identifier, which had the purpose to keep communication with the command and control (C2) server under the radar by obfuscating the network traffic to show a different origin.

Gh0st RAT network traffic

The researchers note that even if the actor's proprietary remote access typically have the advantage of low detection rates, they are mostly used during the first stages of the attack. Once consistent network access is achieved, the adversary seems to rely on code from the public space adapted for their mission.

This tactic could be determined by the need to keep researchers guessing about who is behind an attack. The threat actor may also adapt their tools to the intrusion challenges.

"During complex intrusion scenarios, the threat actors leverage their proprietary tools, which offer custom functionality and lower detection rates," the researchers say.