# BRONZE PRESIDENT Targets Government Officials **[secureworks.com/blog/bronze-president-targets-government-officials](https://www.secureworks.com/blog/bronze-president-targets-government-officials)** Counter Threat Unit Research Team _The likely Chinese government-sponsored threat group uses decoy documents and PlugX malware to_ _compromise targets. Thursday, September 8, 2022 By: Counter Threat Unit Research Team_ In June and July 2022, Secureworks® Counter Threat Unit™ (CTU) researchers identified a PlugX malware campaign targeting computers belonging to government officials of several countries in Europe, the Middle East, and South America. PlugX is modular malware that contacts a command and control (C2) server for tasking and can download additional plugins to enhance its capability beyond basic information gathering. Several characteristics of this campaign indicate that it was ----- [conducted by the likely Chinese government-sponsored BRONZE PRESIDENT threat group,](https://www.secureworks.com/research/threat-profiles/bronze-president) including the use of PlugX, file paths and naming schemes previously used by the threat group, the presence of shellcode in executable file headers, and politically-themed decoy documents that align with regions where China has interests. The malware is embedded within RAR archive files. Opening the archive on a Windows computer with default settings displays a Windows shortcut (LNK) file (see Figure 1) that masquerades as a document. _Figure 1. Content of RAR archive file. (Source: Secureworks)_ Alongside the shortcut is a hidden folder that contains the malware, embedded eight levels deep in a sequence of hidden folders named with special characters (see Figure 2). This tiering is likely to bypass mail-scanning products that may not traverse the entire path when scanning content, suggesting that the delivery mechanism was phishing emails, as there is no other benefit to creating such a folder structure. _Figure 2. Malicious files contained within hidden folder. (Source: Secureworks)_ To execute the malware, the recipient must click the Windows shortcut file. The shortcut executes a renamed legitimate file contained in the eighth hidden folder. Alongside the legitimate file is a malicious DLL and an encrypted payload file. CTU™ researchers observed the malicious payload using the folder names and filenames in Table 1. **Encrypted** **PlugX payload** **Shortcut file** HU proposals to the draft EUCO conclusions.pdf.lnk **Hidden** **folder** **Legitimate binary** **Malicious DLL** ` Opera.exe (renamed test.tmp) opera_browser.dll operaDB.dat ----- **Encrypted** **PlugX payload** **Shortcut file** Embassy of the Republic of Suriname 2022-N033.pdf.lnk Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.pdf.lnk EL Non-Paper Pandemic Resilience final.docx.lnk 313615_MONTENEGRO2021-HUMAN-RIGHTSREPORT.pdf.lnk EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.pdf.lnk NV 309-2022 HMA's departure.pdf.lnk **Hidden** **folder** **Legitimate binary** **Malicious DLL** ` Opera.exe (renamed mail.tmp) # Opera.exe (renamed test.bpl) #### Adobe Stock Photos Cs3.exe (renamed test.chs) ` AvastBrowserUpdate.exe (renamed winrar.chm) _ AvastBrowserUpdate.exe (renamed chrom.uce) # Opera.exe (renamed test.chm) opera_browser.dll operaDB.dat opera_browser.dll operaDB.dat Adobe_Caps.dll AdobePlugin.dat Goopdate.dll AvastDB.dat Goopdate.dll AvastDB.dat opera_browser.dll operaDB.dat _Table 1. Filenames used in PlugX campaign._ [The legitimate binary files are vulnerable to DLL search order hijacking. When executed, they import](https://attack.mitre.org/techniques/T1574/001/) the malicious DLL that loads, decrypts, and executes the payload file. In each sample analyzed by CTU researchers, the shortcut file metadata indicates the file was created on a Windows system either with hostname "desktop-n2v1smh" or "desktop-cb248vr". Once running, the payload drops a decoy document to the logged-on user's %Temp% directory and copies the three files to a ProgramData subdirectory using the pattern "<3 characters>" (e.g., Operavng) (see Figure 3). This naming scheme has been used in previous BRONZE PRESIDENT PlugX campaigns. CTU researchers observed that when the payload performs the copy operation, it names the legitimate executable with its usual name (e.g., Opera.exe, AdobePlugin.exe, AvastBrowser.exe). _Figure 3. PlugX files copied to ProgramData subdirectory. (Source: Secureworks)_ ----- The political nature of the decoy documents suggests that the government officials of various countries are targets for BRONZE PRESIDENT's intelligence collection efforts (see Figures 4, 5, and 6). The threat group consistently targets China's neighbors such as Myanmar and Vietnam. However, its collection requirements can change quickly and are often driven by geopolitical events such as the [war in Ukraine.](https://www.secureworks.com/blog/bronze-president-targets-russian-speakers-with-updated-plugx) _Figure 4. Decoy document used by BRONZE PRESIDENT. (Source: Secureworks)_ _Figure 5. Decoy document used by BRONZE PRESIDENT. (Source: Secureworks)_ ----- _Figure 6. Decoy document used by BRONZE PRESIDENT. (Source: Secureworks)_ PlugX sets up persistence on the host by setting a registry Run key (see Figure 7). _Figure 7. PlugX registry configuration. (Source: Secureworks)_ The running instance of the PlugX payload executes the copy of the legitimate file under ProgramData, passing it a command-line argument before exiting (see Figure 8). Passing commandline arguments lets the malware adapt its execution based on its execution location. CTU researchers observed this tactic in previous BRONZE PRESIDENT PlugX campaigns. Once running, the legitimate file again imports the malicious DLL in the same folder, loading, decoding, and passing execution to the malicious payload file. _Figure 8. PlugX process execution with command-line argument. (Source: Secureworks)_ The payload file calls GetCommandLineW to check the number of arguments. If an additional argument follows the file path, the malware opens the decoy document previously dropped to the user's %Temp% folder and continues execution with its C2 routine. The malicious DLLs and payloads are heavily obfuscated to hinder analysis and to reduce the likelihood of detection by host-based security software. The malicious DLL executes its payload using an unusual technique. Instead of using a call or jmp instruction, it first decodes and copies the payload ----- to a new allocation of memory and then makes a call to EnumThreadWindows to pass execution to the start of the malicious payload file (see Figure 9). _Figure 9. Malicious DLL calling EnumThreadWindows. (Source: Secureworks)_ The start of the payload file is treated as executable code in the same way as a Cobalt Strike [stageless payload artifact. This could be a tactic developed by BRONZE PRESIDENT to increase the](https://www.cobaltstrike.com/blog/what-is-a-stageless-payload-artifact/) likelihood of its malware being misidentified as the popular Cobalt Strike tool. The payload resolves various required Windows functions. It then starts a new thread that makes repeated calls to CheckRemoteDebuggerPresent, exiting if it detects a debugger. Figure 10 shows the payload preparing to decode its configuration. The values pushed to the stack are key length, key, data length, and data address. The key is used as a multibyte XOR value. All observed key value lengths are nine bytes, and their values vary across samples. _Figure 10. PlugX calling its configuration decode function. (Source: Secureworks)_ Figure 11 shows the beginning of the decoded configuration, including the installation directory, mutex name, and the name of the decoy document associated with the sample. ----- _Figure 11. PlugX configuration data. (Source: Secureworks)_ BRONZE PRESIDENT has demonstrated an ability to pivot quickly for new intelligence collection opportunities. Organizations in geographic regions of interest to China should closely monitor this group's activities, especially organizations associated with or operating as government agencies. To mitigate exposure to this malware, CTU researchers recommend that organizations use available controls to review and restrict access using the indicators listed in Table 2. Note that IP addresses can be reallocated. The IP addresses may contain malicious content, so consider the risks before opening them in a browser. **Indicator** **Type** **Context** c285eaea0fe441f550479f7ef85a3dd0 MD5 hash 41d61af1d61d6e1c4718132e64268005 ce362b36 4cd7d84e464a2786446df623629aa7e2 e6c776c9a870278eb39b54c5fba05044 SHA1 hash SHA256 hash Malicious RAR file containing PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.rar) Malicious RAR file containing PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.rar) Malicious RAR file containing PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.rar) Malicious shortcut file that executes PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.pdf.lnk) Malicious shortcut file that executes PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.pdf.lnk) 3a94449d664033955012edac0161b2b8 MD5 hash 91192be3288369f341951143a81c890c 11e23726 SHA1 hash ----- **Indicator** **Type** **Context** 254739e88ba4b4e62c5e2a313303b4bc 679faabe21e7d9c483a2bee846a9dcbc SHA256 hash 370557aa593c96533e5994d073ddd202 MD5 hash 81e8fb5149fda8e1231c9f0f22001cea 5b70429b 9adf5dd03388fab2866014d0551881d6 e85c7ac94ef5ccf58deb50a83f8a5d50 SHA1 hash SHA256 hash 2a1fc50626afbcc6d8fbda3c65d6cc2b MD5 hash c378c0716bf20ebc83403871ae9d96a2 717f7599 d556d7603178a7e4242c01fa5e490ea4 589707eeeab2f3c6c4966bd9b912bd59 SHA1 hash SHA256 hash 041a00485779c5a9e42d803e730ceb6c MD5 hash bd6e5031067724d51abfc2cd2d0fb5ad eed33868 77a61de438f618fab6e75a920e4ca675 6917e501f390b8b4f50c3005505bf488 SHA1 hash SHA256 hash 3277b31aa055bc149af8c37699019586 MD5 hash d0d6618fc79ffa3de2aec58603539a29 4a0bc203 94e76db201d4998394effae2c132730f f958bf6553f6dd08d0d5856ecb5e8a84 SHA1 hash SHA256 hash 675ccbd9318414e2eb0dcabf8a387723 MD5 hash 89f187c9f76d8afa2b6a8c54fa0bc105 63e0169b abea565d16ec5724591331d962d5cf02 37f4628f8cb21b96592c09cc002b10c2 SHA1 hash SHA256 hash Malicious shortcut file that executes PlugX (Predlog termina zvanicne posjete zamjenice predsjedavajuceg Vijeca ministara i ministarke vanjskih poslova BiH.pdf.lnk) Malicious DLL that loads PlugX (opera_browser.dll) Malicious DLL that loads PlugX (opera_browser.dll) Malicious DLL that loads PlugX (opera_browser.dll) Encrypted PlugX payload (operaDB.dat) Encrypted PlugX payload (operaDB.dat) Encrypted PlugX payload (operaDB.dat) Malicious RAR file containing PlugX (Embassy of the Republic of Suriname 2022-N-033.rar) Malicious RAR file containing PlugX (Embassy of the Republic of Suriname 2022-N-033.rar) Malicious RAR file containing PlugX (Embassy of the Republic of Suriname 2022-N-033.rar) Malicious shortcut file that executes PlugX (Embassy of the Republic of Suriname 2022N-033.pdf.lnk) Malicious shortcut file that executes PlugX (Embassy of the Republic of Suriname 2022N-033.pdf.lnk) Malicious shortcut file that executes PlugX (Embassy of the Republic of Suriname 2022N-033.pdf.lnk) Malicious DLL that loads PlugX (opera_browser.dll) Malicious DLL that loads PlugX (opera_browser.dll) Malicious DLL that loads PlugX (opera_browser.dll) Encrypted PlugX payload (operaDB.dat) 5d71c482148a76900888c8e1d382d413 MD5 hash ----- **Indicator** **Type** **Context** 6637e077ea52dc62cd31b1a868b3c222 953b8aa9 02375309e74e91b96c0a41f577f3e4b9 94f3b406abe0619ee6ad69d00e810093 SHA1 hash SHA256 hash 0e37ed727cdb8ae96a50df6391991cc1 MD5 hash 5285fedf930ccb1acf418c52d581e535 504aac76 cbc2d11cb9a495d4697c783cd2aa711a 5691d3c257ddb95960d27c96f62c15c1 SHA1 hash SHA256 hash 788cf16121782b4358dc8350012470ab MD5 hash 63d63b96ef50a4002d3acf8f50bc2b62 d1ec46c4 3cdd37d2459779bd17dd47d4dd7f0df6 fc59f5208b67b4e4a259c98d8b4788d9 SHA1 hash SHA256 hash 3e004dd25b5e836bc2500098c55a2b6d MD5 hash 602a80e0924a65316cafc48356fe527e 427c291f 7c29f4a79f74f8b299fb9e778322b002 21e9992d0ac6d2bd915da6629516fa2f SHA1 hash SHA256 hash 5536783ddc6c15e3e8aef2a756536020 MD5 hash 0809275ecacd52869b43bf4e9804e309 c6bb00b7 910c0e5532a94856e8c9047e8c951e21 345bec4ca6b6950cc5ef0da102d2efab SHA1 hash SHA256 hash 0e91279b5f7f732106077ab10aa08c58 MD5 hash b4aa56abac4a19aedcda87ef2fb7c8bb beb3bf64 4bbb10842941e9004c5449966fca1648 491618ec7841e6befd3e848d75407a10 SHA1 hash SHA256 hash Encrypted PlugX payload (operaDB.dat) Encrypted PlugX payload (operaDB.dat) Malicious RAR file containing PlugX (HU proposals to the draft EUCO conclusions.rar) Malicious RAR file containing PlugX (HU proposals to the draft EUCO conclusions.rar) Malicious RAR file containing PlugX (HU proposals to the draft EUCO conclusions.rar) Malicious shortcut file that executes PlugX (HU proposals to the draft EUCO conclusions.pdf.lnk) Malicious shortcut file that executes PlugX (HU proposals to the draft EUCO conclusions.pdf.lnk) Malicious shortcut file that executes PlugX (HU proposals to the draft EUCO conclusions.pdf.lnk) Malicious DLL that loads PlugX (opera_browser.dll) Malicious DLL that loads PlugX (opera_browser.dll) Malicious DLL that loads PlugX (opera_browser.dll) Encrypted PlugX payload (operaDB.dat) Encrypted PlugX payload (operaDB.dat) Encrypted PlugX payload (operaDB.dat) Malicious RAR file containing PlugX (EL NonPaper Pandemic Resilience final.rar) Malicious RAR file containing PlugX (EL NonPaper Pandemic Resilience final.rar) Malicious RAR file containing PlugX (EL NonPaper Pandemic Resilience final.rar) ----- **Indicator** **Type** **Context** 1f47ba7fd131a1a6f7623d76b420d7e9 MD5 hash 07c5e675714a1af618d8eb1f370be127 63138343 bf46f4724e5a3b05130df40142446840 33feadb1c10d8309b7e3069a4b014a88 SHA1 hash SHA256 hash 7c3a5bbbfb53d4eb91cd174527460824 MD5 hash a6b2c6052ee686e204ad0fbe8d314985 57a3f4ad 840426f9d4d9eb535f5963f76f7cdf84 de084f352dfc0ebc7332b2b4827782e7 SHA1 hash SHA256 hash 459b4b1edd018ba31242b4780ec39a78 MD5 hash f8ae9ea9ca603dfc10a309b052dc57ee 0b75021d 545e2c9965dc0449bb652ae2fb3d1f74 3741ce4f18c045dc50a3f571a1f267f5 SHA1 hash SHA256 hash 493cb5056dee306ac2c93af2285ad9d8 MD5 hash dcc6edf9c40f9c3f914416805252e11a ecb2e5ad 325736437e278bccd6f04e0c57f72be7 e1b4787b10743d813581cfc75dc4888f SHA1 hash SHA256 hash f6b365fad2dba5c7378df81339bb3078 MD5 hash 710bc29b56da533cae0ed5bba47916b8 11479ee8 eab73a44642e130091177ed2a7938c67 d2411ccf81141a96bdb5116678ac97c2 SHA1 hash SHA256 hash Malicious shortcut file that executes PlugX (EL Non-Paper Pandemic Resilience final.docx.lnk) Malicious shortcut file that executes PlugX (EL Non-Paper Pandemic Resilience final.docx.lnk) Malicious shortcut file that executes PlugX (EL Non-Paper Pandemic Resilience final.docx.lnk) Malicious DLL that loads PlugX (Adobe_Caps.dll) Malicious DLL that loads PlugX (Adobe_Caps.dll) Malicious DLL that loads PlugX (Adobe_Caps.dll) Encrypted PlugX payload (AdobePlugin.dat) Encrypted PlugX payload (AdobePlugin.dat) Encrypted PlugX payload (AdobePlugin.dat) Malicious RAR file containing PlugX (313615_MONTENEGRO-2021-HUMANRIGHTS-REPORT.rar) Malicious RAR file containing PlugX (313615_MONTENEGRO-2021-HUMANRIGHTS-REPORT.rar) Malicious RAR file containing PlugX (313615_MONTENEGRO-2021-HUMANRIGHTS-REPORT.rar) Malicious shortcut file that executes PlugX (313615_MONTENEGRO-2021-HUMANRIGHTS-REPORT.pdf.lnk) Malicious shortcut file that executes PlugX (313615_MONTENEGRO-2021-HUMANRIGHTS-REPORT.pdf.lnk) Malicious shortcut file that executes PlugX (313615_MONTENEGRO-2021-HUMANRIGHTS-REPORT.pdf.lnk) ----- **Indicator** **Type** **Context** 5c56ac14f1245fecc7fa930bb49a0f7d MD5 hash 95f0de261ff57e67d666277b86783650 89853d45 b7f6cf8a6a697b254635eb0b567e2a89 7c7f0cefb0c0d4576326dc3f0eb09922 SHA1 hash SHA256 hash c94f930fee694db7253e7784ca3adc87 MD5 hash 04afecffaaff12058e07bcbda65dbbb6 1cdea762 13e60a836d64ce6d18059c82c2c0c1a3 af0fce87e16d85f26e4b665d4e24e1b1 SHA1 hash SHA256 hash e2fe6c54cb4a9a45fbc6f7eb3a9c4fbf MD5 hash 85d8da08ba6ce60b9116c0c93f8d8c9e 4fa7f24c 09fc8bf9e2980ebec1977a8023e8a294 0e6adb5004f48d07ad34b71ebf35b877 SHA1 hash SHA256 hash c004559076a1d21e50477580526f2d9f MD5 hash 840c535120ed91eb88d32abe6fcc06d5 b3053674 a693b9f9ffc5f4900e094b1d1360f7e7 b907c9c8680abfeace34e1a8e380f405 SHA1 hash SHA256 hash Malicious DLL that loads PlugX (goopdate.dll) Malicious DLL that loads PlugX (goopdate.dll) Malicious DLL that loads PlugX (goopdate.dll) Encrypted PlugX payload (AvastDB.dat) Encrypted PlugX payload (AvastDB.dat) Encrypted PlugX payload (AvastDB.dat) Malicious RAR file containing PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.rar) Malicious RAR file containing PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.rar) Malicious RAR file containing PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.rar) Malicious shortcut file that executes PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.pdf.lnk) Malicious shortcut file that executes PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.pdf.lnk) Malicious shortcut file that executes PlugX (EU 31st session of the Commission on Crime Prevention and Criminal Justice United Nations on Drugs and Crime.pdf.lnk) Malicious DLL that loads PlugX (goopdate.dll) Malicious DLL that loads PlugX (goopdate.dll) af7b0e51f1572601889994f36b0a9d7a MD5 hash 0d7daad1d60f2ed2e23188aab1f3bbab f3ad0b63 SHA1 hash ----- **Indicator** **Type** **Context** bda43368b62971b395c8fbcc854b6e9d 113b3e26931214568e1df6201c1dfd0c SHA256 hash 1409c055064becf02ed074b6d0976feb MD5 hash bb9803312d697d4cac5f7a2bec57da73 b4d88486 dfa01872aab09f04fcb9eca3653bd0fb c6968d040b12aedb93050d363e964891 SHA1 hash SHA256 hash d3129539bc1e1c6cce321693be186522 MD5 hash d640592b13b6983a38948f733a4b4621 cdaf2530 69ba51fe80ef91fb0b7280d16290a249 41d3a131cee43f4379821f44d089d63e SHA1 hash SHA256 hash 07e9c84bee28450b1ec24a6f06016802 MD5 hash 4d15d67e1175f36be7b14c9474102d09 82ea97b8 924fffea4d0a4710d71b507523d76a85 4f06d4b9e64eb9074c04e1ec34141a53 SHA1 hash SHA256 hash a510e7b3e447a090cd3f41c4a1a9bd3a MD5 hash d30791be1bf9d2247faa6dfbeb9c132e 9990b401 023d3bce6f1bcf6c15eb839a4e28c488 8a346beaad74afce50cf30f4d911e70d SHA1 hash SHA256 hash e819924ea9fa0c53634b306648cb9a84 MD5 hash 70f36366b579ba344f9e90ec63b0e273 fe6526e0 4b7c37ca79536f2692c64dfdc1b70738 ceeb74ef7ba9e78d8f8db1dfa7ea64ef SHA1 hash SHA256 hash Malicious DLL that loads PlugX (goopdate.dll) Encrypted PlugX payload (AvastDB.dat) Encrypted PlugX payload (AvastDB.dat) Encrypted PlugX payload (AvastDB.dat) Malicious RAR file containing PlugX (NV 3092022 HMA's departure.pdf.rar) Malicious RAR file containing PlugX (NV 3092022 HMA's departure.pdf.rar) Malicious RAR file containing PlugX (NV 3092022 HMA's departure.pdf.rar) Malicious shortcut file that executes PlugX (NV 309-2022 HMA's departure.pdf.lnk) Malicious shortcut file that executes PlugX (NV 309-2022 HMA's departure.pdf.lnk) Malicious shortcut file that executes PlugX (NV 309-2022 HMA's departure.pdf.lnk) Malicious DLL that loads PlugX (opera_browser.dll) Malicious DLL that loads PlugX (opera_browser.dll) Malicious DLL that loads PlugX (opera_browser.dll) Encrypted PlugX payload (operaDB.dat) Encrypted PlugX payload (operaDB.dat) Encrypted PlugX payload (operaDB.dat) PlugX C2 server PlugX C2 server 64.34.205.41 IP address 69.90.190.110 IP address ----- **Indicator** **Type** **Context** 104.255.174.58 IP address _Table 2. Indicators for this threat._ PlugX C2 server [If you need urgent assistance with an incident, contact the Secureworks Incident Response team.](https://www.secureworks.com/contact/emergency-response) -----