NEWS BRIEF

A recent ransomware attack by RA World caught researchers off guard, as the tool set used has previously been linked to China-based espionage actors.

According to a report by Symantec, the attack took place in late 2024 and involved a tool set that includes a legitimate Toshiba executable, toshdpdb.exe, which is deployed on the victim’s device. This executable then connects to a malicious dynamic link library (DLL) that installs a payload containing a PlugX backdoor.

The threat actors utilized this tool kit to deploy RA World ransomware within an unnamed Asian software and services company, demanding a ransom of $2 million. Although the initial infection vector was not identified, the attackers claimed to have compromised the victim’s network by exploiting a vulnerability in Palo Alto’s PAN-OS (CVE-2024-0012), as reported by Symantec.

The attackers then obtained administrative credentials from the company’s intranet and stole Amazon S3 cloud credentials from its Veeam server, using them to extract data from its S3 buckets before encrypting computers, according to the researchers. Based on the tactics, techniques, and procedures (TTPs) used, the researchers hypothesize that the attacker may be China-linked Emperor Dragonfly, also known as Bronze Starlight, a group known to deploy ransomware to disguise intellectual property theft in the past.

Symantec researchers noted that previous intrusions using this tool set targeted the foreign ministry of a Southeastern European country, the government of another country, two Southeast Asian government ministries, and a Southeast Asian telecoms operator. These attacks, which took place between July and January, were all related to espionage and did not involve ransomware.

While tools associated with China-based espionage groups are often shared resources, many are not publicly available and are not typically linked to cybercrime activity, the researchers stated in a recent post.