A recent ransomware attack by RA World in November 2024 targeted an unnamed Asian software and services company, utilizing a malicious tool exclusively employed by China-based cyber espionage groups. This has raised the possibility that the threat actor may be operating as a ransomware player on an individual basis.
According to the Symantec Threat Hunter Team, part of Broadcom, the attacker deployed a distinct toolset that had previously been used by a China-linked actor in classic espionage attacks. The team noted that in all prior intrusions involving the toolset, the attacker appeared to be engaged in classic espionage, focused on maintaining a persistent presence on targeted organizations by installing backdoors.
This included a July 2024 compromise of the Foreign Ministry of a country in southeastern Europe, which involved the use of classic DLL side-loading techniques to deploy PlugX (aka Korplug), a malware repeatedly used by the Mustang Panda (aka Fireant and RedDelta) actor.
The specific attack chain entails the use of a legitimate Toshiba executable named “toshdpdb.exe” to sideload a malicious DLL named “toshdpapi.dll,” which serves as a conduit to load the encrypted PlugX payload.
Other intrusions linked to the same toolset have been observed in connection with attacks targeting two different government entities in Southeastern Europe and Southeast Asia in August 2024, a telecom operator in September 2024, and another government ministry in a different Southeast Asian country in January 2025.
However, Symantec noted that it observed the PlugX variant being deployed in November 2024 as part of a criminal extortion campaign against a medium-sized software and services company in South Asia.
The attacker claimed to have compromised the company’s network by exploiting a known security flaw in Palo Alto Networks PAN-OS software (CVE-2024-0012). The attack culminated with the machines getting encrypted with the RA World ransomware, but not before the Toshiba binary was used to launch the PlugX malware.
Prior analyses from Cisco Talos and Palo Alto Networks Unit 42 have uncovered tradecraft overlaps between RA World (formerly called RA Group) and a Chinese threat group known as Bronze Starlight (aka Storm-401 and Emperor Dragonfly) that has a history of using short-lived ransomware families.
While it’s not known why an espionage actor is also conducting a financially motivated attack, Symantec theorized that a lone actor is likely behind the effort and that they were attempting to make some quick gains on the side. This assessment also lines up with Sygnia’s analysis of Emperor Dragonfly in October 2022, which it described as a “single threat actor.”
This form of moonlighting, while rarely observed in the Chinese hacking ecosystem, is more prevalent among threat actors from Iran and North Korea.
“Another form of financially motivated activity supporting state goals are groups whose main mission may be state-sponsored espionage are, either tacitly or explicitly, allowed to conduct financially motivated operations to supplement their income,” the Google Threat Intelligence Group (GTIG) said in a report published this week.
“This can allow a government to offset direct costs that would be required to maintain groups with robust capabilities.”
Salt Typhoon Exploits Vulnerable Cisco Devices to Breach Telcos
The development comes as the Chinese nation-state hacking group referred to as Salt Typhoon has been linked to a set of cyber attacks that leverage known security flaws in Cisco network devices (CVE-2023-20198 and CVE-2023-20273) to penetrate multiple networks.
The malicious cyber activity is assessed to have singled out a U.S.-based affiliate of a significant U.K.-based telecommunications provider, a South African telecommunications provider, and an Italian internet service, and a large Thailand telecommunications provider based on communications detected between infected Cisco devices and the threat actor infrastructure.
The attacks took place between December 4, 2024, and January 23, 2025, Recorded Future’s Insikt Group said, adding the adversary, also tracked as Earth Estries, FamousSparrow, GhostEmperor, RedMike, and UNC2286, attempted to exploit more than 1,000 Cisco devices globally during the timeframe.
More than half of the targeted Cisco appliances are located in the U.S., South America, and India. In what appears to be a broadening of the targeting focus, Salt Typhoon has also been observed targeting devices associated with more than
Source Link
