Bronze Vinewood

BRONZE VINEWOOD, also known as APT31, is a cyberespionage group believed to be of Chinese origin. This threat actor has been active in targeting various sectors in the United States, specifically the legal sector in 2017 and government and defense supply chain networks in 2018. The Secureworks® Counter Threat Unit™ (CTU) research team has been closely monitoring BRONZE VINEWOOD's activities, aiming to increase visibility and understanding of this threat group's operations. The group utilizes several tools in its campaigns, including HanaLoader and DropboxAES RAT. In 2017, CTU researchers analyzed a version of HanaLoader, which was likely used in a campaign targeting U.S. legal organizations. Despite its name, the DropboxAES RAT does not use the Advanced Encryption Standard (AES). BRONZE VINEWOOD is known to leverage native functionality such as net commands and scheduled tasks for lateral movement within compromised networks. Furthermore, the group employs DLL search-order hijacking to deliver HanaLoader and other malicious payloads. In 2018, BRONZE VINEWOOD demonstrated an expanded range of capabilities, including infecting targeted systems, stealing credentials, and moving laterally within a compromised environment. Interestingly, the group used legitimate executable files from software producers like Oracle and Norton to load malicious code. Overall, BRONZE VINEWOOD poses a significant threat due to its sophisticated techniques and persistent focus on high-value targets.