Incident Summary
Recently, QiAnXin Threat Intelligence Center detected a code poisoning incident targeting security researchers, using a Proof of Concept (POC) published on GitHub under the name CVE-2023-35829. The attacker shared a POC on Twitter, claiming it contained a backdoor program in the code repository. However, when users compiled the code locally, a backdoor program would be executed. It was later discovered that the attacker had a history of attacks dating back to 2017, where they disguised themselves as a Content Construction Kit (CCK) module and used phishing documents to distribute backdoor programs.
POC Code Poisoning
The attacker planted backdoor programs targeting Linux systems in several code repositories, using popular and trending POCs for various vulnerabilities. The repositories containing the backdoor programs are listed below:
- https://github.com/apkc/CVE-2023-35829-poc
- https://github.com/ChriSanders22/CVE-2023-35829-poc.git
- https://github.com/ChriSanders22/CVE-2023-20871-poc
In these code repositories, the backdoor programs are located in "./src/aclocal.m4". The entry point for execution is in the makefile. When users compile this code on their machines, the backdoor program named "kwoker" will be implanted.
The Kworker backdoor copies itself to the home directory and achieves persistence by modifying the .bashrc file. It then establishes a connection to "hxxp://cunniloss.accesscam.org/hash.php" to receive and execute commands from the attacker.
The C2 server subsequently issues a wget command to download and execute a Bash script. This script is used to collect victim information, add SSH keys, and in case of receiving erroneous requests, the C2 server blacklists the client's IP address, attempting to hinder security personnel from analyzing it.
The presence of the malicious code in the repositories was disclosed two days after it was implanted. However, the repositories containing the malicious code and their associated C2 server are still active.
Historical Activity Records
By analyzing historical samples associated with the C2 domain, we discovered additional traces of the attacker's activities:
Backdoored CCK Module Plugin
In 2017, the attacker propagated a CCK module plugin with a backdoor program under the name "ucicinemas_plugin-1.35". CCK (Content Construction Kit) is a module for Drupal systems used to extend and customize content types. When users installed the plugin, it executed a Python Trojan called "pyTone," which was packaged using PyInstaller.
Phishing Documents
The attacker has previously delivered phishing documents in the Italian region. They disguised the backdoor program as an invoice document using terms like "fattura" (invoice). When the victims clicked to execute the document, the pyTone backdoor program would run and display an error message.
pyTone Backdoor Program
pyTone is a backdoor program written by the attacker in Python in 2017. Unlike kworker, pyTone primarily targets the Windows operating system. It is typically packaged as an executable (.exe) using PyInstaller, which effectively addresses the issue of the backdoor program's interpreter compatibility.
In the pyTone backdoor program, in addition to using conventional domain names as Command and Control (C2), the attacker also utilizes dynamic domain generation algorithm (DGA) as C2 domain names.
pyTone has advanced backdoor functionalities, including command execution, screen capturing, and file theft.
Propagation Scope
According to observations from QiAnXin Threat Intelligence Center, several security researchers in China ran the backdoor; fortunately, most of the testing was conducted in virtual machines. The widespread propagation of this incident was due to the coverage and sharing of the false vulnerability link by relevant security media or influential figures on Twitter, both domestically and internationally. Currently, some of the articles that reposted the link have not been removed.
Summary
This targeted attack incident specifically aimed at the security industry, which is quite different from the attacker's historical targets and has a significant time gap. This poisoning incident signifies the attacker's return to an active state. However, due to the relatively strict compromise conditions, the attacker has only collected compromised information and has not taken further action. It appears to be more of an exploration of this attack technique by the attacker.
In recent years, attacks targeting the security industry, such as POC poisoning and security tool poisoning, have been frequent. QiAnXin Threat Intelligence Center advises everyone to remain vigilant when dealing with related resources and tools online. Whenever possible, avoid conducting tests and usage directly on physical machines. Additionally, based on the comprehensive threat intelligence data provided by QiAnXin, including the QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, etc., precise detection of this sample is supported.
IOCs
Domain:
cunniloss.accesscam.org
sentsondme.ddns.net
apachehome.chickenkiller.com
seltereff.afraid.org
popescurum.hopto.org
popescu898.mooo.com
IP:
81.4.109.16
MD5:
7847d26ff86284dce7c3caf3de69a129
377b507ed9334fc36c40f3ccb7c1773a
c85c5442f7540b2f9338d9dee6a1a2b4
DGA:
<%Y%m%d>.mooo.com
<%Y%m%d>.ddns.net
<%Y%m%d>.hopto.org
Reference Link
[1].https://twitter.com/xnand_/status/1676336329985077249