Rewterz Threat Alert – APT27 Emissary Panda Aka LuckyMouse – Active IOCs

Severity

High

Analysis Summary

Emissary Panda – AKA APT27, BRONZE UNION, Iron Tiger, LuckyMouse, TG-3390, and Threat Group-3390 – has been active for more than a decade and remains a powerful adversary. This Chinese cyberespionage group targets organizations in the government, defense, aerospace, technology, manufacturing, and energy sectors. The group was involved in cyber espionage campaigns against Turkish organizations and the middle-east. They deploy Malware like China Chopper, Gh0st, HyperBro, and ZxShell to exploit applications networks. 

APT27 has been using Zoho and Microsoft Exchange vulnerabilities to attack German companies. The exploits include:

• CVE-2021-40539 – Zoho Manage Engine ADSelfService Plus
• CVE-2021-26855 – Microsoft Exchange
• CVE-2021-26857 – Microsoft Exchange
• CVE-2021-26858 – Microsoft Exchange
• CVE-2021-27065 – Microsoft Exchange

Recently, the threat actors manipulated a code-signing certificate issued by VMPsoft, the company that created the VMProtect packer. The signed file is a SysUpdate backdoor loader, according to researchers

Impact

• Information Theft and Espionage

Indicators of Compromise

MD5

3cfd36f2272eb9a2b2aec525bfb0ccc5

SHA-256

a8527a88fb9a48f043a0b762c7431fb52e601b72ff2fa0d35327e5cc72404edc

SHA-1

af397dda21641faa19fcbd840ff63fc7481c8dd7

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Do not enable macros for untrusted files.