Gang Background
In December 2024 , the RedDrip Team of the Qi'anxin Threat Intelligence Center uncovered the black market group UTG-Q-1000 and disclosed four different "groups" , namely the Finance Group, the News and Romance Group, the Design and Manufacturing Group , and the Black Eating and Black Watering Hole Group. Among them , the "Finance Group" has a clear division of labor and clear goals. The group specifically targets financial personnel and managers of enterprises and institutions, aiming to steal sensitive financial information or directly profit through fraud. Its attack methods are extremely deceptive, and it is good at producing highly simulated phishing content, often disguised as "tax audits", "electronic invoices", "subsidy announcements", "company rosters", "personnel transfers" and other topics closely related to financial work, to trick victims into downloading and running Trojans. The group's technology iterates rapidly, using multi-stage loaded "Silver Fox" and other remote control Trojans , and frequently uses legitimate cloud services such as Alibaba Cloud OSS and Youdao Cloud Notes to host malicious payloads to evade detection. Its infrastructure (such as The C2 server prefers to register short domain names containing random characters. With a strong focus on anti-virus and anti-attack strategies, the group continuously evolved to circumvent security software detection, later abusing the functions of legitimate commercial monitoring software such as WorkWin and IP-Guard, and even exploiting logical flaws in other software to carry out " white-exploitation " attacks, demonstrating their advanced stealth techniques.
Overview of the Incident
Recently, the national childcare subsidy policy will be fully implemented, with each child receiving The 3,600 yuan subsidy program has become a hot topic of public discussion. While countless families were eagerly anticipating this beneficial policy, the Qi'anxin Threat Intelligence Center discovered that a black market criminal group had already taken action. The UTG-Q-1000 criminal group set up numerous phishing websites overnight, mass-distributing phishing QR codes, forging subsidy application pages, and creating fraudulent policy interpretation documents to steal victims' identities, bank card information , and passwords. After tracing the source and countering the C2 server , we discovered the group's various WeChat group phishing tactics, multiple remote control software backends, and WeChat chat log extraction and filtering tools placed on desktops.
Phishing Pages
After controlling the victim's computer through various methods such as watering holes and phishing, the "finance group" controls their social software to send phishing page QR codes to various groups, attempting to steal the bank card account numbers and passwords of group members, and rob the victim's bank card funds to make a profit. After successfully sending the phishing QR code and words in the group , they will also make notes in the background of the remote control software.
After careful screening, there are as many as 37 victims , most of whom are Windows 10 users.
In order to prevent victims from seeing the computer control interface, attackers usually choose to control the computer after 8 pm. For victims whose controlled computers are corporate work computers, attackers use the functions of creating schedules and sending scheduled messages in corporate office communication software to automatically send phishing QR codes and related words during working hours.
The attacker controls the victim's computer to create a schedule to spread phishing QR codes.
The QR code of the phishing page is as follows :
This QR code points to http://whlq89621549.com/?member=ylxuqxmz , and another QR code points to http://snto-cn.com?member=ylxuqxmz.
The two phishing websites present exactly the same content. After in-depth analysis, it is found that the page is actually a loader , whose core mechanism is to dynamically create iframe to load the real phishing page. Before the iframe, the attacker first initiates a A fetch request calls an interface that looks like an image resource, but is actually carefully disguised to pass malicious data. URL passes Base64 encoding and XOR encryption are hidden at the end of the returned image data.
After the server returns the image data, the attack code locates the encrypted data segment through the fixed feature identifier 0x21FE, and then performs the decryption process to successfully restore the target URL, and set it to iframe src attribute. The attacker adopts such a complex multi-layer evasion strategy to bypass the URL risk control detection mechanism and static feature scanning detection.
This black market gang has a clear division of labor and uses a membership system to calculate the success rate of phishing pages. The redirected URLs carry the member parameter, followed by the member ID " ylxuqxmz ". This member ID clearly identifies who placed the phishing QR code. The redirection relationship of the phishing page is as follows:
Click "Apply Now" on the phishing page, which first calls the "loader" container, displays "Please wait", and then parses the URL. The member parameter is used to construct a request URL : http://snto-cn.com/api.php?member=ylxuqxmz. This URL stores a fake GIF image. The identifier 0x21FE is found to obtain the following content, which is then base 64 decoded and XOR-decrypted. The XOR key is "YourSecretKey123!@#".
The following figure is decrypted from the api.gif data URL.
Then, dynamically create and insert the Iframe node and append predefined CSS style class to ensure that its visual presentation is seamlessly integrated with the original structure of the page. URL assigned to src attribute to trigger the loading of the target page.
The target page 1.html ( subsidy application system ) will first print the member name obtained. If the member exists, it will send a request to the interface https://bmppc.cn/add_visit.php with this parameter. The backend will return a JSON data containing the visit statistics of this member (today, yesterday, cumulative).
As of the time of writing this article, the number of fishing attempts by member " ylxuqxmz " is 113 .
Among them, the page will also verify the correctness of the Chinese name and ID number to prevent victims from entering the next stage by distrusting the information and filling in incorrect information.
After filling in the information, jump to 2.html ( the page for collecting bank card number and mobile phone number information), which also has an information verification step.
filling in the relevant information, submit it to the server via POST request https://bmppc.cn/su bmit.php . The server then returns an ID , which is then combined with the ID to jump to page 4.html ( the password input page ).
The ID returned by the server is actually the insertion ID of the last data. ID is auto-increment ID , during the actual analysis process, hundreds of values were added in just a few hours, so this ID may actually be the number of successful phishing attempts by all members .
The new page tricks victims into filling in their bank card passwords, using a custom "numeric keyboard" to input, and prohibiting direct input using the system keyboard.
At the same time, the current online or offline status is reported and there is a heartbeat mechanism. The address for reporting status is https://bmppc.cn/update_status.php , and the address for checking heartbeats every second is https://bmppc.cn/heartbeat.php.
If the user enters 6 If you need a password, submit the splicing information to https://bmppc.cn/get-ayment.php and then jump to 3.html Page (account information confirmation page).
When the DOMContentLoaded event is triggered , collect page information and send it to the server https://bmppc.cn/save_title.php.
If the victim does not input for a long time, the final page will poll the user status and jump according to the status code, requesting once every 3 seconds https://bmppc.cn/status_check.php, if it returns status_code If the value is between 1 and 15, it will jump to { statusCode}.html.
The test here is to jump to 5.html ( verification code acquisition page ) , which imitates the countdown of common pages.
The server address for information collection has been changed to https://bmppc.cn/get-certificate.php.
If the mobile phone verification code is not entered, the user status will be polled and the page will be redirected to 11.html ( change mobile phone page ) according to the status code.
Click "Change Phone" to jump to 7.html ( change number page ).
Clicking "Apply for subsidy now" will jump to page 4.html ( password input page ) , thus completing a cycle.
enters the password in 4.html ( password input page ) , it will jump to 3.html ( account information confirmation page ).
Fill in your account balance and submit the information via POST to http://houtai4jian.fjhpdjt.cn/get-code.php.
After clicking "Confirm Submit", the page will jump to page 6.html ( the comprehensive service acceptance page ). This page pretends to be processing the system, asking the victim to wait for 5-10 minutes. During this time, the group actually uses the stolen information to steal the card.
If a mobile phone verification code is required during the fraudulent transaction , the page will jump to 10.html ( the verification code acquisition page ) , which is exactly the same as 5.html ( the verification code acquisition page ) , and the victim will be tricked into entering the mobile phone verification code to complete the fraudulent transaction.
The attacker polls the user's status and jumps to the specified page in response to the specified status code based on the reason for the failed card theft, such as jumping to page 9.html ( bank card password error page ) , which has the same source code as page 4.html ( password input page ) , to trick the victim into entering the correct bank card password.
Or jump to 12.html ( change card number page ) , the group also clearly reminds on the page that the bank card balance must be greater than 3,000 yuan.
In addition, in 13.html ( the SMS sending page ) , the server https://bmppc.cn/db.php responds to the SMS content, inducing users to copy the SMS content and send it to a designated number. This may be to unblock the account or steal the user 's verification code.
The source code of the server's response SMS content.
Clicking "Send SMS" will send the SMS content to the server https://bmppc.cn/record_sms_sent.php , and then jump to page 6.html ( comprehensive service acceptance page ) to confuse the victim, and the attacker will take the opportunity to steal the card.
However, page 14.html ( the page for sending SMS messages again ) will prompt the victim that the SMS content was sent incorrectly and needs to be resent.
Page 15.html ( Change Card Number ) is another trap set by the attackers to trick victims into changing their card numbers. Clicking "Change Card Number" redirects them to page 2.html ( collecting bank card and phone number information ), starting a new round of fraud.
Dual-control Trojan
We also found a malicious exe file on the desktop. Analysis revealed it was another commercial control software distributed by the attacker to the victim. The basic information of the malware is as follows.
| - | - |
|---|---|
| MD5 | 7759E77E6A523FDA149792C9346B9EEF |
| File Name | 128zq.exe |
| File Size | 8.07 MB (8,462,848 bytes ) |
| Creation Time | 2025-08-19 17:06:16 |
This sample is written in Go language and is actually a downloader. The download address is https://gootk-1328636939.cos.ap-guangzhou.myqcloud.com/windowsSetup128.msi. Download and save to C:\\windowsSetup128.msi and use msiexec implement.
Windows Setup128.msi uses custom actions to execute the released client files.
The client is a self-extracting program. The file has a legal digital signature of " Shandong Anzai Information Technology CO., Ltd. ". Upon investigation, it was found that the software is actually commercial software.
The released servercfg file is the address of the configured C2.
Remote control backend
Continuing to dig deeper, we discovered multiple remote control software servers based on winos4.0 (malware, not Windows source code), such as a server that modified the source code to use IOCP communication.
Its client generation panel is as follows:
64-bit plug-ins carried are as follows:
Carry The 32-bit plugins are as follows:
Another dual-server, the author added skin settings.
modified based on the Gh0st source code and a control panel that generates online files.
Another malware server, no client generation method has been found yet.
Python to add a forged signature to the specified file script.
A malware package ("Little Genius") was also discovered. This package processes WeChat chat logs in batches, extracting valuable information for later fraud or other purposes. According to the software's registration information, this malware was also purchased from elsewhere and has a one-year validity period.
In addition, several white programs for white plus black were found.
Summary
The UTG-Q-1000 group has been one of the most active and frequently attacking black market organizations in China in recent years. Its operations are extensive, encompassing a complete illegal profit chain involving theft of secrets, remote control, and financial fraud. Driven by the enormous profits, the group is highly motivated, demonstrating a high level of technological sophistication and rapid iteration.
Its attack activities have several notable characteristics:
Strong anti-killing and anti-countermeasure capabilities : The attack samples they produce are highly anti-killing and frequently updated, usually using multi-stage loading and cloud service distribution. Payloads, encryption, and obfuscation are used to bypass security detection. Some attack samples even actively fight against antivirus software, attempting to terminate the security software process.
Sophisticated social engineering techniques: The phishing pages they created are highly disguised, with progressive content that closely aligns with current hot topics or target professional needs (such as taxes, subsidies, and personnel notices), gradually gaining the victim's trust, inducing them to relax their vigilance, and execute malicious programs.
Organizational and modular operations: The group may be divided into multiple specialized groups (such as the "Finance Group" and the "Design and Manufacturing Group") based on different attack targets (such as financial personnel, designers, and ordinary netizens). Even if they use the same Trojan family (Silver Fox), they have different tactical focuses, showing a high degree of organization and modularity.
In summary, UTG-Q-1000 is a large-scale criminal network with advanced technology, complex structure, and extremely harmful effects. It is a cyber threat that enterprises and organizations, especially those in financial and sensitive positions, need to focus on guarding against.
Protection Recommendations
Qi'anxin Threat Intelligence Center reminds users to be wary of phishing attacks. Do not open unidentified links shared on social media, click on or execute email attachments from unknown sources, run unknown files with exaggerated titles, or install apps from unofficial sources. Back up important files and install patches promptly.
If you need to run or install an application of unknown origin, you can first identify it through the Qi'anxin Threat Intelligence File In-Depth Analysis Platform ( https://sandbox.ti.qianxin.com/sandbox/page). Currently, we support in-depth analysis of files in various formats, including Windows and Android platforms.
At present, the full range of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform ( TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, etc., already support accurate detection of such attacks.
IOC
MD5
7759E77E6A523FDA149792C9346B9EEF
4267E6D9EE6C409B2CB5D3A1B0B0A270
Phishing websites
http://whlq89621549.com
http://snto-cn.com
https://jnscx.com
C&C
https://bmppc.cn
43.132.222.128