Malicious actors leveraged a Chinese cyberespionage operation-linked tool to facilitate an RA World ransomware intrusion against an Asian software and services organization in November, Security Affairs reports.
After initially focusing on cyberespionage in an attack against a Southeastern European country's foreign ministry in July, threat actors aimed to compromise the Asian firm by exploiting a Palo Alto Networks PAN-OS flaw and pilfering Amazon AWS S3 bucket data and credentials before launching RA World ransomware, according to an analysis from Broadcom's Symantec Threat Hunter Team.
The attack also involved the deployment of a Toshiba executable enabling the sideloading of a PlugX malware variant similar to the one used by Chinese cyberespionage gang Mustang Panda, also known as Fireant and Earth Preta.
While such an RA World ransomware attack was previously linked by Palo Alto Networks to Chinese threat operation Bronze Starlight, also known as Emperor Dragonfly, Chinese cyber spies were noted by Symantec researchers to have an unclear motive in exploring ransomware ventures.
"The most likely scenario is that an actor, possibly one individual, was attempting to make some money on the side using their employer’s toolkit," researchers said.
