Delaware, USA – October 19, 2018 — The Bronze Buttler group (aka Redbaldknight) continues to use Datper malware in attacks in the East Asia region. Bronze Buttler has been active since 2016 and is presumably located in the People’s Republic of China, the primary targets of attacks are located in South Korea and Japan. Attackers hack legitimate websites and use them as command and control servers during their operations. Cisco Talos research determined that in addition to Datper malware, they use xxmm backdoor and Emdivi malware, and most of the attacks of the group are associated with industrial espionage. Bronze Buttler uses spear phishing and watering hole attacks to infect their victims, also in past campaigns, they exploited zero-day vulnerability to infiltrate organizations networks. Datper is designed to collect information and is capable to execute shell commands. Malware is written in Delphi, and the most recent samples were created this summer.
In connection with the increase in tensions between the People’s Republic of China and the United States, China has noticeably intensified in cyberspace. McAfee researchers discovered another malicious campaign aimed at South Korea, in which attackers used malware based on the source code of Chinese APT groups. To detect sophisticated attacks on your infrastructure, you can use Threat Hunting Framework, which speeds up the daily searches and tracks IP, URL, Domains and File hashes across all log sources connected to the SIEM: https://my.socprime.com/en/integrations/threat-hunting-framework-arcsight