Overview
QiAnXin Threat Intelligence Center discovered an unusual behavior during routine endpoint operations, where a process named WindowsPackageManagerServer, through complex operations, eventually initiated the undetected Lumma Stealer. We promptly initiated an investigation and ultimately found the corresponding malicious installation package on the Microsoft App Store, presenting itself as the Russian version of the 7Zip software. Our tests confirmed that the official 7ZIP installation program was not available on the Microsoft App Store. However, the malicious installation package would appear when users searched for keywords related to "7z."
We immediately reported the situation to Microsoft, and as of now, the malicious software has been removed from the Microsoft App Store. The timeline of the report is as follows:
Upon tracing, we found that this installation package first appeared in January 2023 and evaded detection for almost a year. Internally, we named this group UTG-Q-003 and publicly disclosed the details of the incident and IOCs to the open-source community for analysis and investigation by fellow security vendors.
Attack Chain
It remains unclear how the attackers managed to upload the malicious installation package to the Microsoft App Store. According to QiAnXin's big data platform, the earliest download of the 7z-soft software occurred on March 17, 2023. The execution chain is as follows:
JPHP is an open-source project that uses the Java virtual machine to execute PHP code, compiling PHP source code into Java bytecode and running it inside the JVM. This results in effective evasion of detection. Attackers utilized the JPHP library function "jurl" to download subsequent payloads from a remote server.
To maintain a prolonged evasion period, the attackers frequently updated payloads on their C2 server. We observed 2~3 soft.exe files with different MD5 hashes being requested daily. The primary goal was to steal various types of files, including txt, doc, rdp, key, wallet, seed, lnk, etc. The involved malware families were Redline Malware, Lumma Stealer, and Amadey.
Based on VirusTotal data, we observed that 7z-soft.exe had alternative download methods besides being delivered through the Microsoft App Store.
The mentioned URLs are currently inaccessible. However, historical data reveals that after requesting the domain (“deputadojoaodaniel.com.br”), it redirected to a link hosted on cdn.discordapp.com.
Inspection of the historical HTML pages of both domains showed that they were WordPress websites, indicating that UTG-Q-003 likely invaded WordPress sites and used them as a springboard to store payloads and implement webpage redirection. This attack method is prevalent among Russian-speaking groups.
In October, we detected a direct redirection from “analiticaderetail.com” to the “browserneedupdate.com” page. Our analysis indicated another attack chain by the attackers, involving a social engineering attack leveraging the Chrome browser's message push mechanism. The attack process is as follows:
Attackers have created a relatively realistic Cloudflare DDoS protection page, claiming that the domain is currently under a DDoS attack. Subsequently, a fake human verification dialog appears, enticing victims to click.
Upon clicking, a new page is launched, redirecting to the “brolink2s.site” domain and loading a JavaScript (JS) script. The JS script primarily functions to display notifications and lure victims into clicking the allow button.
Once the victim chooses “allow” option, the website is added to Chrome's push notification list, enabling notifications applicable to every platform (MAC, Windows, Android).
Even if the victim's browser is closed, the attacker can still push relevant links through Windows notifications. The push effect is illustrated as follows:
We have observed a total of 10 domains redirecting to “browserneedupdate.com” from October to the present. The domain types include movie resource sites and software development, suggesting that in the first stage of the attack, the attacker could deliver phishing emails inducing victims to enable message notifications. By leveraging legitimate website invasions for redirection, they could bypass email gateway detection. In the second stage, based on the target host's platform, the attacker can push customized phishing links, enticing victims to download and open bait files. This social engineering method is more credible than phishing emails prompting users to update software and is highly covert.
| - |
|---|
| Domain |
| analiticaderetail.com |
| creatologics.com |
| www.50kmovie.com |
| linta.software |
| captionhost.net |
| www.bcca.kr |
| opwer.top |
| fms.net.br |
| leanbiome-leanbioome.com |
| zuripvp.tk |
| creatologics.com |
In addition, UTG-Q-003 has also delivered installation packages of the following types, all based on the JPHP framework.
Attribution and Impact
Based on telemetry data from QiAnXin Threat Intelligence Center, the number of downloads of this installation package from the Microsoft App Store has significantly increased since August. We suspect it may be related to the WinRAR vulnerability. Approximately four to five days after the public disclosure of the EXP for CVE-2023-38831, APT groups from East Asia initiated phishing attacks on mainland China. Some organizations may have requested employees to use compression software other than WinRAR. Additionally, domestic search engines have been manipulated by SEO black hat groups, making it difficult to find the official 7zip download site. Consequently, some users have to downloading 7zip from the Microsoft App Store, leading to compromise.
This explains why negative reviews on a Russian malicious installation package are submitted by Chinese users, which may seem ironic but reflects the current poor ecology of software downloads in China.
The registration information for the domains used by the attackers is related to Russia and Ukraine, but we cannot obtain information about foreign victims, especially in Russian-speaking regions. Therefore, relevant attribution cannot be determined.
Conclusion
Currently, all products based on QiAnXin Threat Intelligence Center's threat intelligence data, including QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, QiAnXin Situational Awareness, etc., already support accurate detection of such attacks.
IOC
For detailed IOC regarding UTG-Q-003, please refer to QiAnXin Threat Intelligence Center's RedDrip Team Github [1].
Reference Link
[1]. https://github.com/RedDrip7/APT_Digital_Weapon/tree/master/UTG-Q-003