Analysis of Suspected Viper Group Exploiting Nim Backdoor to Probe Intelligence in South Asian Countries
Recently, QiAnXin Threat Intelligence Center discovered malicious samples targeting Bhutan during its daily sample tracking and analysis. The bait content used by the samples came directly from a notice published on the Bhutanese government website. The document carries macro code that ultimately executes the Nim\-written backdoor through a series of VBS and BAT scripts. Based on the code signature of this Nim backdoor, we correlated samples of attacks against Nepal and Myanmar, with the attack against Myanmar dating back to November last year. The Nim backdoor is actually a variant of the C\+\+ backdoor<sup> </sup> disclosed by domestic security vendors at the end of 2021. In February 2023, Group\-IB released a report<sup> [2,3]</sup> disclosing spear phishing attacks by the Rattlesnake organization from June to November 2021, and the two attack groups are closely related. Based on the malware characteristics and network infrastructure researchers believe that the attack campaigns categorized as BabyElephant at that time were closely related to Rattlesnake, and that the two attack groups are closely connected. Based on the above open source intelligence information, this paper unifies the attack activities found in this discovery into the Rattlesnake organization.
The Spyder malware is associated with the Mahabharat organization, and its main function is to download and run executables sent from C2 servers. QiAnXin Threat Intelligence Center observed that Spyder has gone through at least two rounds of updates since July, and found that attackers implanted Remcos Trojan to target hosts with the help of Spyder. According to the captured malicious samples, the related attack activities have the following characteristics: (1\Some key strings in the Spyder downloader are no longer in plaintext, but are heterogeneously encrypted to avoid static detection, while the data format of the malware's communication with the C2 server has also been adjusted; (2) The Remcos Trojans implanted used the latest version available at the time; (3) With the name and configuration information of the Spyder sample, it can be hypothesized that the victims include targets from Pakistan, Bangladesh, Afghanistan, etc.
QiAnXin Threat Intelligence Center recently discovered a batch of complex downloader samples. These samples, with multiple layers of nested PE file loading, ultimately download and execute subsequent payloads from a C2 server. One of the C2 server IP addresses was recently disclosed in connection with a software supply chain attack event, where attackers delivered malicious software by disguising it as npm packages related to encryption. Combining the information from the aforementioned report and the downloader samples themselves, it can be confirmed that these malicious downloader samples are related to the npm package supply chain attack event. Based on the code characteristics of the downloader and other related samples, we have associated them with historical attack samples of the Lazarus organization. Considering Lazarus's common supply chain attack methods, we believe that the attackers behind this npm package poisoning incident are likely associated with Lazarus.
Recently, Chianxin Threat Intelligence Center captured a phishing sample in CHM format targeting financial personnel, which first releases and loads a dotnet module after double-clicking to run, which loads different shellcodes according to different system architectures, and then downloads loads such as svchost.exe, libcef.dll, and libcef.png remotely from the server to execute the core malicious code in svchost.exe and load libcef.dll by simulating the click-break technique. The shellcode downloads svchost.exe, libcef.dll and libcef.png from the server remotely and executes the core malicious code in libcef.dll by simulating the click-break technique to collect host information, browser history, and self-startup. The purpose of the blackmail attack on finance is mainly to pull the accounts of finance and high-flying leaders into the same group chat, and induce the finance to transfer the money to the designated account, thus realizing the purpose of profit.
Analysis of the Expansion of Fraudulent Backdoors Claimed to Have Been Implanted in 20 Million Devices
Recently, the QinetiQ Threat Intelligence Center noticed that foreign security vendor humansecurity exposed an incident called BADBOX on the extranet, reporting that it had observed at least 74,000 Android-based phones, tablets, and globally networked TV boxes showing signs of being infected with BADBOX; and from Trend Micro, the backdoor is believed to have been implanted in an order of magnitude of 20 million devices. In fact, humansecurity has already provided a detailed technical analysis of the incident in its analysis report, which you can view for yourself if you are interested. In this article, we would like to do some related and extended analysis based on Chianson's own intelligence vision, and hope to provide more supplementary information to the industry from our perspective.
Spyder恶意软件与摩诃草组织存在关联，主要功能是下载并运行C2服务器下发的可执行文件。奇安信威胁情报中心观察到自7月以来，Spyder至少经过了两轮更新，并发现攻击者借助Spyder向目标主机植入Remcos木马。根据捕获的恶意样本，相关攻击活动有如下特点： (1) Spyder下载器中一些关键字符串不再以明文形式出现，而是经过异或加密处理，以避开静态检测，同时恶意软件与C2服务器的通信数据格式也做了调整； (2) 植入的Remcos木马采用的都是当时能获取到的最新版； (3) 通过Spyder样本的名称和配置信息，可以推测受害者包括巴基斯坦、孟加拉国、阿富汗等国的目标。
近日，奇安信威胁情报中心注意到外国安全厂商humansecurity在外网揭露了一个名为BADBOX的事件，其报告称观察到至少观察到74000 部基于 Android 的手机、平板电脑、和全球联网电视盒有遭遇BADBOX 感染的迹象；而来自趋势科技的说法是该后门据信被植入了2000万数量级别的设备。实际上，humansecurity在其分析报告中已经对该事件进行了比较详细的技术分析，各位如果有兴趣可以自行查看。本篇文章中，我们主要想基于奇安信自身情报视野做一些关联扩展分析，希望能从我们的视角出发提供更多的补充信息给到业界。