# BRONZE UNION Cyberespionage Persists Despite Disclosures

**secureworks.com/research/bronze-union**

Counter Threat Unit Research Team

Tuesday, June 27, 2017 By: Counter Threat Unit Research Team

## Summary

[In 2015, the SecureWorks® Counter Threat Unit™ (CTU) research team documented the BRONZE](https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage)
UNION threat group (formerly labeled TG-3390), which CTU™ analysis suggests is based in the People's
Republic of China (PRC). Since that analysis, CTU researchers have observed multiple BRONZE UNION


-----

threat campaigns that illustrate the evolution of the group s methods and espionage objectives. Despite
multiple public disclosures of their activities, BRONZE UNION remains an active and formidable threat as
of this publication.

[CTU researchers divided the threat intelligence about this group into two sections: strategic and](https://www.gartner.com/doc/2487216/definition-threat-intelligence) tactical.
Executives can use the strategic assessment of the ongoing threat to determine how to reduce risk to
their organization's mission and critical assets. Computer network defenders can use the tactical
information gathered from incident response investigations and research to reduce the time and effort
associated with responding to the threat group's activities.

## Key points

CTU researchers assess it is highly likely that the BRONZE UNION threat group gathers defense,
security, and political intelligence from organizations around the world. CTU researchers have
observed it targeting organizations in the aerospace, government, defense, technology, energy, and
manufacturing verticals.
CTU researchers assess it is likely that the group is located in the People's Republic of China.
BRONZE UNION has historically used strategic web compromises (SWCs) in its campaigns, CTU
researchers have also observed it exploiting vulnerable Internet-facing services to gain access to
targeted networks.
After accessing a network, the threat actors leverage a range of proprietary, publicly available, and
native tools to search for and acquire desirable data.

## Strategic threat intelligence

Analysis of a threat group's targeting, origin, and competencies can determine which organizations could
be at risk. This information can help organizations make strategic defensive decisions regarding this
threat.

### Intent

Based on BRONZE UNION's targeting activity, CTU researchers assess it is highly likely that the group
focuses on political and defense organization networks. In 2016, the threat actors conducted a strategic
web compromise (SWC) on the website of an international industry organization that affected aerospace,
academic, media, technology, government, and utilities organizations around the world. During a discrete
period of activity, this SWC was used to specifically target Turkish government, banking, and academic
networks. These focused attacks suggest a concerted effort to compromise strategically significant
networks in Turkey, possibly due to Turkey's political, economic, and military relationships in Europe and
the Middle East.

In addition, BRONZE UNION activity on multiple U.S.-based defense manufacturer networks included the
threat actors seeking information associated with aerospace technologies, combat processes, and naval
defense systems. Third-party [analysis suggests that systemic issues in the PRC’s defense technology](http://www.css.ethz.ch/en/services/digital-library/articles/article.html/6db76427-8c94-4fcd-8ac8-8cf75cfa3815)
industries could influence demand for this type of information because this type of data could potentially
address innovation and supply deficits which exist within this industry sector in the PRC.

### Attribution


-----

In 2015, CTU researchers assessed that BRONZE UNION likely originates in the PRC based on factors
such as targeting, operating hours, and tool selection. Observed activity since 2015 reinforces that
association; for example:

continued focus on information that would be of interest to individuals or groups living in a country
that has a significant manufacturing base and a strategic interest in U.S. military capabilities
use of web shells that have historically been leveraged by threat groups believed to be operating in
the PRC
connections between a subset of the group's operational infrastructure and PRC-based Internet
service companies

### Capability

BRONZE UNION has consistently demonstrated the capability to conduct successful large-scale
intrusions against high-profile networks and systems. CTU researchers identified evidence of the group
exploiting vulnerabilities in Internet-facing service desk software to gain an initial foothold on desirable
networks, while concurrently compromising systems of interest via SWCs. During the observed intrusions,
the group rapidly collected account credentials, escalated privileges, and deployed multiple web shells
presumably to extend its access across the compromised network.

BRONZE UNION is disciplined and takes proactive steps to avoid detection. For example, at the end of
2016 CTU researchers observed the threat actors using native system functionality to disable logging
processes and delete logs within a network. The group also manipulated native Windows features on
compromised systems to access additional legitimate functionality. These behaviors indicate that the
threat actors quickly gain a detailed understanding of the environments they compromise and use this
understanding to conceal their activity from network defenders. Although CTU researchers have observed
BRONZE UNION modifying its tools, likely in response to public reporting on its activities, there is no
evidence that the group's capabilities have changed substantially or that its operations have been
deterred.

## Tactical threat intelligence

Investigating BRONZE UNION activity and evicting the threat actors from compromised networks have
given CTU researchers unique insight into the group's tools and tactics.

### Tools

CTU researchers observed BRONZE UNION using the following tools in intrusions since the 2015
analysis, but clients should assume that the threat group still has access to the previously reported tools.

OwaAuth — This web shell and credential stealer deployed to Microsoft Exchange servers is
installed as an ISAPI filter. Captured credentials are DES-encrypted using the password “12345678”
(see Figure 1), and are written to a text file (log.txt) in the system's root directory.


-----

_Figure 1. Configuration file from OwaAuth.dll. (Source: SecureWorks)_

China Chopper web shell — This web-based executable script communicates with a full-featured
user interface to allow threat actors to transfer and create files, open a command terminal, and
interact with database servers.
Rcmd — This lateral movement tool facilitates the execution of commands on systems across the
target environment.
Wrapikatz — This tool wraps Mimikatz code in a custom loader to evade antivirus detection, and
changes the command-line usage to evade process-telemetry detection and make the tool easier to
use. This tool is not exclusive to BRONZE UNION. CTU researchers have observed various threat
groups leveraging Wrapikatz binaries with different usage options.
[Netview — This publicly available host-enumeration tool presents details about IP addresses,](https://github.com/mubix/netview)
network shares, remote sessions, and logged-on users.
Kekeo — This [publicly available toolset manipulates the Kerberos authentication protocol. CTU](https://github.com/gentilkiwi/kekeo)
researchers identified BRONZE UNION actors using a file named ms.exe that was likely a
credential-abuse tool from the Kekeo toolset.

### Tactics, techniques, and procedures

Observations of BRONZE UNION activity during several network compromises gave CTU researchers
insight into the tactics the group employs.

**Access vectors and command and control**

CTU researchers observed BRONZE UNION delivering malware to systems via SWCs and scan-andexploit techniques. The threat actors appear to be able to create and leverage multiple SWCs in parallel.
They have also demonstrated the ability to create SWCs and malware-staging sites by leveraging
websites linked to networks previously compromised by the group. Apparent overlap between existing
compromises and new campaigns suggests that the group considers leveraging existing network
compromises when planning infrastructure requirements. Figure 2 shows a BRONZE UNION infection
chain leveraging an SWC.


-----

_Figure 2. Likely BRONZE UNION infection chain observed in 2016. (Source: SecureWorks)_

In multiple instances, CTU researchers observed artifacts from unsuccessful attempts to create a web
shell on web-accessible JBOSS-based service desk software, followed by use of a functional shell to gain
access to the environment. These events strongly suggest that the threat actors leveraged the web
application as part of the initial compromise vector.

BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN
services in its command and control (C2) and operational infrastructure. The threat actors also integrate
infrastructure they likely previously compromised for espionage purposes. For example, CTU researchers
identified the group using IP addresses owned by several, presumably compromised, research
organizations to interact with web shells in other target environments.

**Host enumeration and lateral movement**

After gaining an initial foothold in a compromised environment, the threat actors quickly identify and
explore accessible systems. In one example, BRONZE UNION actors leveraged initial web shell access
on Internet-facing systems to conduct internal reconnaissance, including domain enumeration and
network state, via ipconfig, net use, net user, and net view commands. In a separate incident, CTU
researchers identified a file named s.txt, which is consistent with the output of the Netview hostenumeration tool.

Knowledge of the compromised environment allows the threat actors to move laterally between systems.
CTU researchers identified ten compromised hosts in one environment that contained artifacts associated
with the Rcmd lateral-movement tool. Use of the tool leaves a small helper script (read.vbs) on the target


-----

system. This script relays commands and output between the controller and the system.

**Defensive evasion**

CTU researchers observed BRONZE UNION actors reconfiguring legitimate Windows features to
[establish PowerShell remoting and](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.1) [WinRM (see Figure 3). These remote management technologies allow](https://blogs.msdn.microsoft.com/powershell/2015/10/27/compromising-yourself-with-winrms-allowunencrypted-true/)
a full range of configuration, data transfer, and remote execution capabilities over HTTP/HTTPS channels.
Enabling these features gives the threat actor a remote control channel to persistently access the victim's
environment without using malicious software that could be detected.

_Figure 3. PowerShell commands. (Source: SecureWorks)_

Some payloads leveraged DLL side loading, a technique that involves running a legitimate, typically
digitally signed, program that loads a malicious DLL. The DLL acts as a stub loader, which loads and
executes shell code. BRONZE UNION previously used this technique to enable execution of PlugX and
HttpBrowser tools in a way that is challenging for network defenders to detect.

In 2016, CTU researchers observed the group using native system functionality to disable logging
[processes and delete logs within a compromised environment. The threat actors used the appcmd](https://docs.microsoft.com/en-us/iis/get-started/getting-started-with-iis/getting-started-with-appcmdexe)
command-line tool to unlock and disable the default logging component on the server
(systsm.webServer/httplogging) and then delete existing logs from the system (see Figure 4).

_Figure 4. Threat actor using appcmd to delete logs and disable logging. (Source: SecureWorks)_

**Credential access**

BRONZE UNION uses various tools for credential theft. In one incident, the threat actor used the
Wrapikatz tool (w.exe) with a usage statement that retrieves various passwords and Windows credentials
from memory and compiles them in w.txt:
```
c:\programdata\w.exe –w –l –c>>c:\programdata\w.txt

```
In a separate incident, the threat actor used access provided by extensive web shell deployment to
harvest account credentials:
```
2016-10-03T09:27:47  dir
2016-10-03T09:28:11  w64.log >ppp.log
2016-10-03T09:30:10   PowerShell.exe -ExecutionPolicy Bypass -File getpwd.ps1 >iistail.log

```

-----

In another example, BRONZE UNION leveraged the Kekeo credential abuse tool to exploit CVE-20146324, a vulnerability in Microsoft's implementation of the Kerberos network authentication protocol.
Exploitation of this vulnerability allows an attacker to escalate privileges on the affected system.

**Exfiltration**

BRONZE UNION has also leveraged various web shells to collect and stage data for exfiltration. In one
instance, the threat actor gained remote access to a high-value system in a compromised network, ran
[quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/quser)
archive that specified file types the threat actor did not want, and used a password to encrypt the archive:
```
YYYY-MM-DD hh:mm:ss   quser
YYYY-MM-DD hh:mm:ss   C:\windows\temp\svchost.exe a -m5 -v2000m -hp{password} -inul -r "
{destination_file.rar}" "{multiple user directories linked to the victim's projects}" -x*.exe x*.msi -x*.cab -x*.inc -x*.dll -x*.db -x*.mdb -x*.htm -x*.html -x*.css -x*.jar -x*.js -x*.tmp x*.bak -x*.dat -x*.log -x*.xml -x*.dmp -x*.dbf -x*.avi -x*.mp3 -x*.mp4 -x*.mpg -x*.mpeg -x*.asp x*.aspx -x*.gif -x*.jpg -x*.mpp -x*.pst

```
The threat actors typically rename the encrypted RAR archives. In the following example, archives for
exfiltration were renamed as .tmp files:
```
move \\{FILE PATH}\c$\programdata\AT.part01.rar \\{FILE PATH}\c$\programdata\at01.tmp

```
The TMP files were then staged for exfiltration on Internet-facing servers that had previously been
compromised with the China Chopper web shell. From those servers the threat actor could use a web
shell to retrieve the encrypted archives:
```
copy \\{FILE PATH}\c$\programdata\*.tmp \\{FILE PATH}\ServiceDesk\custom\style

```
After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged
RAR archives and detach their network shares, likely to avoid detection. Figure 5 shows the commands
used to perform these activities on a RAR archive renamed with a *.jpg extension.

_Figure 5. BRONZE UNION commands. (Source: SecureWorks)_

**Reentry attempt**


-----

After BRONZE UNION was evicted from a compromised environment, which involved blocking the
group's known infrastructure, CTU researchers observed the group attempting to reconnect to its OWA
web shells and a backup web shell it had deployed during the intrusion. The threat actor also attempted to
use OWA account credentials likely acquired during an earlier phase of the intrusion. BRONZE UNION
appeared to leverage other compromised infrastructure, presumably to make reentry attempts seem
legitimate. This attempt illustrates the importance of thorough planning when conducting an eviction and
the need for continuous vigilance for evidence of reentry.

## Conclusion

As of this publication, BRONZE UNION remains a formidable threat group that targets intellectual property
and executes its operations at a swift pace. Its activities indicate a preference for leveraging SWCs and
scan-and-exploit techniques to compromise target systems. To mitigate these threats, CTU researchers
recommend that clients conduct regular internal vulnerability scanning, patching, and upgrading of priority
[systems, particularly Internet-facing systems and users' devices. Advanced endpoint threat detection](https://www.secureworks.com/capabilities/managed-security/endpoint-security/endpoint-threat-detection)
(AETD) can help detect activity associated with web shells and lateral movement, and network
technologies that use sandboxing techniques to detonate binaries in network traffic can prevent malicious
traffic from reaching internal systems. Early detection and response can minimize exposure and damage.

## Threat indicators

The threat indicators in Table 1 are associated with BRONZE UNION activity. Note that IP addresses can
be reallocated. The IP addresses may contain malicious content, so consider the risks before opening
them in a browser.

Indicator Type Context


198.56.185.179 IP
address

211.255.155.194 IP
address


Used by
BRONZE
UNION to
connect to
China
Chopper web
shell

Likely
associated
with VPN
used by
BRONZE
UNION to
connect to
China
Chopper web
shell


-----

Indicator Type Context


211.255.155.199 IP
address

211.255.155.202 IP
address

211.255.155.204 IP
address

211.255.155.215 IP
address


Likely
associated
with VPN
used by
BRONZE
UNION to
connect to
China
Chopper web
shell

Likely
associated
with VPN
used by
BRONZE
UNION to
connect to
China
Chopper web
shell

Likely
associated
with VPN
used by
BRONZE
UNION to
connect to
China
Chopper web
shell

Likely
associated
with VPN
used by
BRONZE
UNION to
connect to
China
Chopper web
shell


-----

Indicator Type Context


211.255.155.218 IP
address

211.255.155.219 IP
address

211.255.155.224 IP
address

104.130.244.126 IP
address

96.90.63.57 IP
address

117.136.63.145 IP
address


Likely
associated
with VPN
used by
BRONZE
UNION to
connect to
China
Chopper web
shell

Likely
associated
with VPN
used by
BRONZE
UNION to
connect to
China
Chopper web
shell

Likely
associated
with VPN
used by
BRONZE
UNION to
connect to
China
Chopper web
shell

Used by
BRONZE
UNION to
connect to
web shells

Used by
BRONZE
UNION to
connect to
web shells

Used by
BRONZE
UNION to
connect to
web shells


-----

Indicator Type Context


cd5aaa37ee165071f914ceec8fd09e0f MD5
hash

2b5aa30f8f0575bdfe1ddebc8dac8c56a91137a8 SHA1
hash

0e823a5b64ee761b70315548d484b5b9c4b61968b5068f9a8687c612ddbfeb80 SHA256
hash


OwaAuth web
shell used by
BRONZE
UNION

OwaAuth web
shell used by
BRONZE
UNION

OwaAuth web
shell used by
BRONZE
UNION


javaws.exe Filename Malware used
in BRONZE
UNION SWC
that
downloads
and executes
a secondstage payload


98c5f2a680fe9de19683120be90ea75c MD5
hash

daa03d4aa72a16fff910142982b057b195018e6d SHA1
hash

ec60e57419f24fabbe67451cb1055b3d2684ab2534cd55c4a88cc395f9ed1b09 SHA256
hash

45.114.9.174 IP
address

_Table 1. BRONZE UNION indicators._


Malware used
in BRONZE
UNION SWC
(javaws.exe)F

Malware used
in BRONZE
UNION SWC
(javaws.exe)

Malware used
in BRONZE
UNION SWC
(javaws.exe)

Used by
BRONZE
UNION to
host secondstage payload
for SWC


-----