According to Secureworks Counter Threat Unit (CTU) researchers, Bronze President is changing its targeting in response to the political situation in Europe and the war in Ukraine. The threat group has primarily focused on Southeast Asia and is now targeting Russian-speaking users and European entities. CTU believes Bronze President is gathering political and economic intelligence valuable to the People’s Republic of China (PRC), and the changed focus reflects updated intelligence collection requirements.
Secureworks analysed a malicious executable file in March 2022, which masqueraded as a Russian-language document that was alleged to be from the European Commission. The fake document claimed to address migratory pressure and asylum applications in countries that border Belarus (Lithuania, Latvia, and Poland) and discussed European Union (EU) sanctions against Belarus at the beginning of March 2022.
The filename references Blagoveshchensk, a Russian city close to the China border and home to the 56th Blagoveshchenskiy Red Banner Border Guard Detachment. This connection suggests that the filename was chosen to target officials or military personnel familiar with the region. Once the malware, named PlugX, is installed, it provides access to the compromised host to extract sensitive system information, upload and download files, and execute a remote command shell.
The full filename was "Blagoveshchensk - Blagoveshchensk Border Detachment.exe", and uses a PDF icon. By default, Microsoft Windows does not display file extensions and thus many users would interpret the file as being a PDF document.
The executable displays a decoy document while downloading additional files from a staging server at IP address 220.127.116.11. The document is written in English and appears legitimate. CTU researchers do not know the original source of the document or why a Russian filename would display an English-language document, but nevertheless, that is the situation.
The other three files downloaded from the staging server follow the China-based Bronze President’s threat group’s use of DLL search order hijacking to execute PlugX malware payloads. The exe pings Google’s public DNS service with option -n 70 to introduce a delay before executing a signed file.
The legitimate signed file originates from UK-based Global Graphics Software Ltd and is vulnerable to DLL search order hijack. It imports a malicious DocConvDll.dll DLL loader, which exports eight functions - several of which use seemingly random names and contain no useful instructions. The only export called by the parent executable is createSystemFontsUsingEDL.
This function loads, decrypts, and executes FontLog.dat. The .dat sample obtained by CTU researchers was corrupt, but based on similar campaigns the file is likely a PlugX payload. However, analysis of the loader suggests that the malware creates a directory structure under C:\ProgramData\Fuji Xerox\Fonts\ and then copies the three files that DLL side-load and execute the payload to this directory. Once PlugX is installed, the malware provides access to the compromised host to extract sensitive system information, upload and download files, and execute a remote command shell.
The staging server 18.104.22.168 hosts the zyber-i . com domain which has been implicated in a broad PlugX campaign targeting European diplomatic entities. The domain was hosted on 22.214.171.124 from March 2-13, when it served a similarly named group of files for DLL search order hijack. A third-party report links the campaign to the locvnpt . com domain. Another report associates the locvnpt . com domain with attacks in 2020 against the Vatican that CTU researchers attribute to Bronze President. This 2020 campaign also used customised decoy documents and downloaded PlugX .dat files that were loaded by DLL search order hijack. The locvnpt . com domain was hosted on 2EZ Networks IP address 126.96.36.199 in September 2020. Bronze President extensively used that company's IP range in a 2020 campaign targeting Hong Kong, Myanmar, and Vietnam.
Bronze President appears to be changing its targeting in response to the political situation in Europe and the war in Ukraine. The threat group has primarily focused on Southeast Asia, gathering political and economic intelligence valuable to the People's Republic of China (PRC). Targeting Russian-speaking users and European entities suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the PRC.
To mitigate exposure to this malware, CTU researchers recommend that organisations use available controls to review and restrict access according to the details CTU has identified.