Overview

QiAnXin Threat Intelligence Center has identified targeted Chinese phishing emails in its daily operations, where the body of the email is logically structured and uses content related to game recruitment from major internet companies and AI technology. The email aims to entice the HR departments of targeted companies to open encrypted attachments containing malicious lnk files. This allows the attackers to establish a foothold within the internal network and seek further lateral movement. After a brief investigation, the group responsible for these activities has been named UTG-Q-010, a financially motivated targeted attack group located in East Asia.

Considering some issues raised by foreign cybersecurity vendors in their references to our previous disclosure of UTG-Q-007 ^[1,2], it is necessary to introduce the origin of QiAnXin’s “UTG” (Unknown Threat Group) numbering convention. To address the mismatch between the threats identified by QiAnXin's government and enterprise endpoints and the commonly known APT threats, as well as the situation that some APT campaigns are outsourced to private companies, we have identified several highly harmful and actively threat groups from hundreds of attack campaigns detected by government and enterprise endpoints. These groups have been named in the form of “UTG-Q-XXX”. Therefore, UTG should not be simply understood as an unknown group. Instead, we are aware of the attackers' motives and geographical region, but we are unable to attribute them to specific attacking entities or the clients they serve.

The current disclosure of UTG numbering is as follows:

-	-	-
Threat Group	Region	Nature
UTG-Q-001	Southeast Asia	Espionage
UTG-Q-003	Eastern Europe	Espionage
UTG-Q-007	Southeast Asia	Financially motivated
UTG-Q-010	East Asia	Financially motivated

Technical Details

Phishing Emails

The malicious attachments with passwords are as follows:

The lnk files are as follows:

-	-
MD5	Filename
9a7d8b8c0dd22472fdc09d925838cdcd	Chen Guoguang-Byte-U3D.lnk
08520cc4474114c3daef50eb9d4732f8	Server-Wang Shaocong Resume.lnk
21c31e99d1794cc96b683ad9641d6908	ParkminResume.lnk

The content of lnk payload is as follows:

Decrypting faultrep.dll from the lnk file itself and copying it to the %temp% directory along with werFault.exe. The main function of faultrep.dll is as a downloader, and we name it “MoinDownloader”. The information is as follows:

-
faultrep.dll
6f1e6e1de42b6fb9c894948b4ba420ec
4d334416cb894193fd4527a92f30bf27
f422a60b6dde97e6b1155ea028c50736

It first releases a PDF decoy document, showing a game developer resume.

Some lnk files also release bilingual (Chinese-Korean) decoys.

Finally MoinDownloader fetchs the encrypted payload from a remote server: C2=hxxps://chemdl.ioskaishi.live/down_xia.php

Loading a kind of open-source Python RAT (Remote Access Trojan) called Pupy RAT in memory. C2 of RAT is 103.79.76.40:8443.

Attack Incidents Targeting the Android Platform

While tracking the infrastructure of UTG-Q-010, we discovered their use of highly deceptive watering hole sites during attacks in the Bitcoin and AI fields. These sites lure victims to download malicious APKs and are distributed on domestic forums. The attack website targeting the cryptocurrency community is as follows:

Attack website targeting the AI field is as follows:

Through tracing, it was found that the malicious domain was posted on a domestic AI forum by a user registered on 2024-02-23.

After analyzing the downloaded APK, it belongs to Ermac malware family. Malicious code is injected into the legitimate APK logic code.

C2 is conn.phmdbad.live. Based on Passive DNS data, we found that the victims primarily use home broadband networks.

Expanding the Analysis

Based on the characteristics of the lnk files, we found some highly credible samples with the same origin on VT (VirusTotal).

-	-	-
LNK MD5	Function	Filename
618c5efe26db267a21134c6726be5123	Release downloader and load golang trojan	ssss.pdf.lnk
e50be1c85e1842fbdcf16ac46866fafb	Test sample	a.lnk
645e7561ae6bf2c458fc73c1530030d3	Test sample	passwords.lnk
38fc22a6ded51b9ebfd02d9d8fb20e5e	Release Xworm RAT, C2 (223.ip.ply.gg:15270)	file.lnk

The payloads released by the two test samples exposed the attacker's PDB (Program Database) path.

-
PDB
C:\Users\suchenbin1\source\repos\message\x64\Debug\message.pdb
C:\Users\lain\source\repos\ConsoleApplication1\x64\Debug\ConsoleApplication1.pdb

The downloader released by ssss.pdf.lnk is completely different from MoinDownloader.

The payload is downloaded from the pivot server (94.138.192.147/public/jsp/lasjdflakdsjf.pdf), decrypted, and then executed. The subsequent payload is a Golang-based trojan, primarily designed to execute CMD commands from the C2 server.

C2 is 156.224.22.247:443. During the expansion of MoinDownloader, the attacker's test trojan from February was discovered.

-	-
MD5	Filename
f33d93b32017758c4e716b58071c1d09	HelloWorld_x64.exe

UTG-Q-010's earliest activity dates back to late 2022 ^[3], and at that time, the decoys delivered were related to the pharmaceutical industry.

Apart from significant changes in the initial lnk payload, the remaining payloads have maintained the same pattern over the past two years. However, the large-scale evasion testing observed in February-March 2024 indicates the attacker's attempt to introduce variations.

Impact

Since UTG-Q-010's activities in 2024 are financially motivated, there haven't been any severe incident involving specific organizations. From the network attributes, the majority of the controlled targets are home broadband connections, including a significant number of individuals from the cryptocurrency community.

Among the victims corresponding to enterprise networks, the majority are game companies and pharmaceutical companies, aligning with the decoy contents delivered by UTG-Q-010. The industry distribution is as follows:

With the increasing prevalence of low-cost targeted attacks, attackers can obtain desired data and information with minimal investment, highlighting the growing asymmetry in the battle. This asymmetry is manifested in the fact that attackers can launch effective attacks using readily available tools and techniques with minimal resources, while defenders must invest significant time, technology, and funds to detect, prevent, and respond to these attacks. Defenders not only need to continuously update security systems and strategies but also provide employee training and enhance security awareness. Therefore, effectively enhancing defensive capabilities, optimizing resource allocation, and reducing defense costs have become important challenges in the field of cybersecurity today. QiAnXin Threat Intelligence Center is committed to discovering potential threats in order to provide comprehensive intelligence-based protection for government and enterprise clients.

Summary

Currently, QiAnXin Threat Intelligence Center's full range of products, including QiAnXin Threat Intelligence Platform (TIP), TianQing, TianYan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situation Awareness, all support precise detection of such attacks based on threat intelligence data.

IOC

MD5:

9a7d8b8c0dd22472fdc09d925838cdcd

08520cc4474114c3daef50eb9d4732f8

21c31e99d1794cc96b683ad9641d6908

6f1e6e1de42b6fb9c894948b4ba420ec

4d334416cb894193fd4527a92f30bf27

f422a60b6dde97e6b1155ea028c50736

618c5efe26db267a21134c6726be5123

e50be1c85e1842fbdcf16ac46866fafb

645e7561ae6bf2c458fc73c1530030d3

38fc22a6ded51b9ebfd02d9d8fb20e5e

C2:

chemdl.ioskaishi.live

conn.phmdbad.live

103.79.76.40:8443

223.ip.ply.gg:15270

156.224.22.247:443

URL:

94.138.192.147/public/jsp/lasjdflakdsjf.pdf

Reference link

[1]. https://mp.weixin.qq.com/s/kdwOx4WzH24cVA5qIDY_DA

[2]. https://blog.talosintelligence.com/coralraider-targets-socialmedia-accounts/

[3]. https://labs.k7computing.com/index.php/pupy-rat-hiding-under-werfaults-cover/