Recently, QiAnXin Threat Intelligence Center discovered malicious samples targeting Bhutan during its daily sample tracking and analysis. The bait content used by the samples came directly from a notice published on the Bhutanese government website. The document carries macro code that ultimately executes the Nim\-written backdoor through a series of VBS and BAT scripts. Based on the code signature of this Nim backdoor, we correlated samples of attacks against Nepal and Myanmar, with the attack against Myanmar dating back to November last year. The Nim backdoor is actually a variant of the C\+\+ backdoor^[1] disclosed by domestic security vendors at the end of 2021. In February 2023, Group\-IB released a report^[2,3] disclosing spear phishing attacks by the Rattlesnake organization from June to November 2021, and the two attack groups are closely related. Based on the malware characteristics and network infrastructure researchers believe that the attack campaigns categorized as BabyElephant at that time were closely related to Rattlesnake, and that the two attack groups are closely connected. Based on the above open source intelligence information, this paper unifies the attack activities found in this discovery into the Rattlesnake organization.

The Spyder malware is associated with the Mahabharat organization, and its main function is to download and run executables sent from C2 servers. QiAnXin Threat Intelligence Center observed that Spyder has gone through at least two rounds of updates since July, and found that attackers implanted Remcos Trojan to target hosts with the help of Spyder. According to the captured malicious samples, the related attack activities have the following characteristics: (1\Some key strings in the Spyder downloader are no longer in plaintext, but are heterogeneously encrypted to avoid static detection, while the data format of the malware's communication with the C2 server has also been adjusted; (2) The Remcos Trojans implanted used the latest version available at the time; (3) With the name and configuration information of the Spyder sample, it can be hypothesized that the victims include targets from Pakistan, Bangladesh, Afghanistan, etc.

QiAnXin Threat Intelligence Center recently discovered a batch of complex downloader samples. These samples, with multiple layers of nested PE file loading, ultimately download and execute subsequent payloads from a C2 server. One of the C2 server IP addresses was recently disclosed in connection with a software supply chain attack event, where attackers delivered malicious software by disguising it as npm packages related to encryption. Combining the information from the aforementioned report and the downloader samples themselves, it can be confirmed that these malicious downloader samples are related to the npm package supply chain attack event. Based on the code characteristics of the downloader and other related samples, we have associated them with historical attack samples of the Lazarus organization. Considering Lazarus's common supply chain attack methods, we believe that the attackers behind this npm package poisoning incident are likely associated with Lazarus.

Recently, Chianxin Threat Intelligence Center captured a phishing sample in CHM format targeting financial personnel, which first releases and loads a dotnet module after double-clicking to run, which loads different shellcodes according to different system architectures, and then downloads loads such as svchost.exe, libcef.dll, and libcef.png remotely from the server to execute the core malicious code in svchost.exe and load libcef.dll by simulating the click-break technique. The shellcode downloads svchost.exe, libcef.dll and libcef.png from the server remotely and executes the core malicious code in libcef.dll by simulating the click-break technique to collect host information, browser history, and self-startup. The purpose of the blackmail attack on finance is mainly to pull the accounts of finance and high-flying leaders into the same group chat, and induce the finance to transfer the money to the designated account, thus realizing the purpose of profit.

Recently, the QinetiQ Threat Intelligence Center noticed that foreign security vendor humansecurity exposed an incident called BADBOX on the extranet, reporting that it had observed at least 74,000 Android-based phones, tablets, and globally networked TV boxes showing signs of being infected with BADBOX; and from Trend Micro, the backdoor is believed to have been implanted in an order of magnitude of 20 million devices. In fact, humansecurity has already provided a detailed technical analysis of the incident in its analysis report, which you can view for yourself if you are interested. In this article, we would like to do some related and extended analysis based on Chianson's own intelligence vision, and hope to provide more supplementary information to the industry from our perspective.

近期，奇安信威胁情报中心在日常样本跟踪分析过程中，发现针对不丹的恶意样本。样本使用的诱饵内容直接来自不丹政府网站发布的通告。文档携带的宏代码通过一系列VBS和BAT脚本，最终执行Nim编写的后门。根据该Nim后门的代码特征，我们关联到针对尼泊尔和缅甸的攻击样本，其中针对缅甸的攻击时间可追溯到去年11月。 基于开源情报信息，本文将此次发现的攻击活动统一归属为响尾蛇组织。

Spyder恶意软件与摩诃草组织存在关联，主要功能是下载并运行C2服务器下发的可执行文件。奇安信威胁情报中心观察到自7月以来，Spyder至少经过了两轮更新，并发现攻击者借助Spyder向目标主机植入Remcos木马。根据捕获的恶意样本，相关攻击活动有如下特点： (1) Spyder下载器中一些关键字符串不再以明文形式出现，而是经过异或加密处理，以避开静态检测，同时恶意软件与C2服务器的通信数据格式也做了调整； (2) 植入的Remcos木马采用的都是当时能获取到的最新版； (3) 通过Spyder样本的名称和配置信息，可以推测受害者包括巴基斯坦、孟加拉国、阿富汗等国的目标。

近期奇安信威胁情报中心捕获到针对财务人员的钓鱼样本，样本格式为CHM。该样本在双击运行之后首先释放并加载dotnet模块，dotnet模块将根据系统架构的不同加载不同的shellcode，shellcode从服务器远程下载svchost.exe、libcef.dll和libcef.png等载荷，通过模拟点击断链技术执行svchost.exe加载libcef.dll中的核心恶意代码，达到收集主机信息，浏览器历史记录，自启动等功能。 黑产攻击财务的目的主要是将财务和高仿领导的账号拉到同一个群聊中，并诱导财务将钱转到指定的账户中，进而实现获利的目的。

奇安信威胁情报中心近期发现一批较为复杂的下载器样本，这类样本经过多层嵌套的PE文件加载，最终从C2服务器下载后续载荷并执行。其中一个C2服务器IP地址在不久前被披露用于一起软件供应链攻击事件，攻击者通过伪装为与加密有关的npm包投递恶意软件。结合上述报告内容和下载器样本自身的信息，可以确认这些下载器恶意软件与此次npm包供应链攻击事件有关。

近日，奇安信威胁情报中心注意到外国安全厂商humansecurity在外网揭露了一个名为BADBOX的事件，其报告称观察到至少观察到74000 部基于 Android 的手机、平板电脑、和全球联网电视盒有遭遇BADBOX 感染的迹象；而来自趋势科技的说法是该后门据信被植入了2000万数量级别的设备。实际上，humansecurity在其分析报告中已经对该事件进行了比较详细的技术分析，各位如果有兴趣可以自行查看。本篇文章中，我们主要想基于奇安信自身情报视野做一些关联扩展分析，希望能从我们的视角出发提供更多的补充信息给到业界。