Overview
Recently, QiAnXin Threat Intelligence Center and QiAnXin Network Security Department discovered a sample of a malicious installation package disguised as Navicat.exe through daily monitoring. Multiple download links for this sample were found through Tianqing Network Data, and the homepage of the download link was spoofed to imitate the official website of netsarang. Subsequently, multiple counterfeit operation and maintenance tools, such as xshell, LNMP, and Baota Linux panel, were traced and identified based on the malicious sample certificate. Based on the QiAnXin Tianqing Network data, the installation package of this malicious sample has already controlled the hosts. Therefore, we conducted a detailed analysis of the attack event as soon as possible.
The above-mentioned counterfeit operation and maintenance tools are commonly used software tools by domestic operations personnel and network management users. Attackers take advantage of the needs of this user group to build counterfeit official website points, induce users to download counterfeit operation and maintenance tools, and steal confidential information by remotely controlling victim hosts.
Event Details
With the increasing use of software information in various industries in China, operation and maintenance tools are commonly used by operations personnel and network management users to improve work efficiency, making it an easy target for attackers.
Through the QiAnXin Tianqing Dawai data, we found a download source for the installation package: hxxps://linhunq.com/zh/navicat/. We downloaded the Navicat Premium 16.exe installation package file from this site.
Sample Analysis
The attack process of the malicious sample is as follows:
1、Attackers create a fake official website for operation and maintenance tools to induce victims to download the bundled Navicat installation package with a backdoor.
2、After the installation package is executed, the main Navicat program with the implanted remote control backdoor is released.
3、When the victim uses Navicat to connect to the database, the malicious code is triggered.
4、The Navicat process pulls the first-stage shellcode (3.log) from the first-stage C2 (navicat.amdc6766.net) and injects it into the system program wabmig.exe by thread hijacking.
5、The first-stage shellcode runs a DLL loader to reflectively load and run the CcRemote RAT shellcode (second-stage shellcode) and connect to the second-stage C2 server (navicat02.amdc6766.net).
6、Attackers issue control instructions through the second-stage C2 server.
Confirmation of Malicious Code Logic Trigger Conditions
There are many files in the sample installation directory, but based on the modification date of the files and the timestamp information of the signature (which is relatively close to the current time), it is initially speculated that the malicious code is in the main Navicat program.
During the sample analysis, according to the clues obtained from the QiAnXin product device logs, the sample will be injected into the system process wabmig.exe. Dynamic debugging confirms that database connection operations need to be performed to trigger the execution of the malicious code. This confirms that the attacker has tampered with the main Navicat program and placed the malicious code in the logic of database connection.
Extraction and Analysis of First-Stage Shellcode
After locating the approximate position of the backdoor code, analysis shows that the malicious sample injects the code through thread hijacking (navicat.amdc6766[.]net/3.log).
During dynamic debugging, the network request function is intercepted and the network traffic package for DNS resolution of navicat.amdc6766[.]net is captured, revealing that the network request function downloads navicat.amdc6766[.]net/3.log as shown in the figure.
Directly accessing the remote address allows the shellcode file to be downloaded directly.
Dynamic debugging confirms that this code logic involves the malicious sample using VirtualAlloc() to request memory to save the first-stage shellcode content retrieved by an InternetReadFile() request for the navicat.amdc6766.net/3.log link. Then, using WriteProcessMemory(), the malicious sample writes the first-stage shellcode into the memory of the newly created wabmig.exe system process using the memory address previously requested as a parameter. This conclusion is supported by the fact that the memory address content obtained from dynamic debugging and the content of the downloaded 3.log file are completely identical.
Based on the characteristics of the obtained shellcode, it can be determined that the open-source tool sRDI was used to generate the shellcode. According to the description of the project (hxxps://github.com/monoxgas/sRDI), sRDI allows DLL files to be converted into position-independent shellcode.
The MZ header in the shellcode is located and this part is dumped.
Extraction and Analysis of second-Stage Shellcode
Upon analyzing the first-stage shellcode, a second-stage shellcode (CcRemote RAT) that was reflectively loaded is found.
An analysis of the shellcode reveals the existence of a decryption function with a key of "iloveyou", indicating that the second-stage shellcode was encrypted and obfuscated.
Based on the above static analysis results, the decryption function is dynamically debugged to obtain the second-stage shellcode.
This decrypted second-stage shellcode is then dumped and analyzed, revealing behavior related to connecting to the second-stage C2 (navicat02.amdc6766[.]net).
Analysis of RAT Tool
The string content of the second-stage C2 shellcode is analyzed, and a search on the GitHub site using the string content leads to an open-source RAT project whose code is roughly similar to the second-stage C2 shellcode.
According to the project description, this is a project based on g0host RAT that has been redeveloped.
The attacker used the g0host RAT code from this project to develop the malicious DLL (second-stage shellcode), wrote a DLL Loader that reflectively loads this malicious DLL, and then used the sRDI evasion project to package the DLL Loader into first-stage shellcode. Finally, the Navicat main program was tampered with to implant the first-stage shellcode execution logic.
Threat Intelligence Correlation Analysis
With regards to IOCs related to this attack event, there is limited threat intelligence information available. However, the relevant IOCs have been marked as malicious by the QiAnXin Threat Intelligence Center platform. The C2 domain name was recently registered and no similar poisoning events have been found on the Internet, indicating that this is a recently active gray/black production action.
Trace Analysis
Tracing the Download Link of the Installation Package
According to the data from QiAnXin Tianqing network, the first appearance of this installation package was in January 2023, and the outbreak peak was in March 3023. The directories where this installation package exists are all internet download directories, indicating that it is mainly spread through website downloads.
Based on the analysis of the malicious sample download site, the site has forged the official website of Netsarang.
By clicking on some links inside the site, such as technical support, users will be redirected to the real official website.
Other operation and maintenance tools on the website can be downloaded through the normal trial application process, only Navicat can be directly downloaded. The website has multiple languages to switch between, but only the Chinese webpage for Navicat is accessible. For example, the English version will display a 404 error page.
Accessing another source, which is also a forged official website of Netsarang, the same tactics are used.
As the backdoor RAT used is written by a Chinese developer and the C2 is hosted on Alibaba Cloud, and Navicat can only be accessed via the Chinese webpage, it can be determined that this incident is a poisoning attack targeting domestic database operation and maintenance tools.
Tracing the Certificate Signature of Malware Samples
Usually, only companies that develop software will apply for certificate signatures. However, the "Zhiniao (Chengdu) Human Resources Service Co. Ltd." signature corresponds to a company that does not have its own software products, namely "Zhiniao (Chengdu) Human Resources Service Co. Ltd." Searching the QiAnXin Tianqing network sample data using this certificate signature reveals that the software associated with this certificate signature is various commonly used software installation packages that have been repackaged and there are a large number of them.
This signature first appeared in October 2022, and had a peak in February-March 2023.
Subsequently, based on the certificate signature of the malicious sample Navicat installation package in this article, multiple fake operation and maintenance tool sites were further discovered.
www.navicatcn[.]net
www.biosoft[.]cc
cnxshell[.]com
www.bixwinner[.]cc
xiandazm[.]com
cnlnmp[.]com
highthost[.]cc
cqdtwxx[.]com
lightsoft[.]cc
lukesoft[.]cc
Summary
In recent years, the number of poisoning incidents using malicious software developed to meet the needs of certain groups of people and setting up sites as bait has increased. When downloading software tools, network security awareness should be strengthened, and unknown software from unknown sources should not be downloaded and used to avoid becoming prey for cyber attackers.
QiAnXin Red Raindrop team reminds users not to open links of unknown origin shared on social media, not to click on email attachments from unknown sources, not to run unknown files with exaggerated titles, and not to install apps from non-official sources. It is recommended to timely back up important files and update security patches.
If there is a need to install an app of unknown origin, it can be first analyzed through QiAnXin Threat Intelligence Center's deep analysis platform (https://sandbox.ti.qianxin.com/sandbox/page). Currently, the deep analysis platform supports the analysis of various file formats, including those for Windows and Android platforms.
Currently, all QiAnXin products based on threat intelligence data from QiAnXin Threat Intelligence Center, including TIP, Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, have supported precise detection of such attacks [1].
IOCs
Installation package source
hxxps://linhunq.com/zh/navicat/
hxxps://lukesoft.cc
hxxps://rj1.mqxsowp.cn
hxxps://www.navicatcn.net/download/navicat-premium.html hxxps://navicatcn.net/zh/navicat/index.html
MD5
__8829174fcbf689f0f7a189e937ab4022 __(navicat.exe, 44494248bytes)
__17a96924c1ddacfc164e9fe7c79e5f8d __(Navicat Premium 16.exe,94074096bytes)
C2
8.210.158.101
47.242.55.129
navicat02.amdc6766.net
navicat.amdc6766.net
Reference Links
[1] https://ti.qianxin.com/