Background of the gang
GoldenEyeDog (tracked internally as APT-Q-27 by Qi'anxin) is a hacking group targeting people involved in gaming and dog-pushing in Southeast Asia, as well as the overseas Chinese community, with a range of business activities including remote control, mining, DDoS attacks, etc. It is related to a larger attack group tracked by Qi'anxin, the Miuuti Group [1, 2]. The Miuuti Group has repeatedly used puddle sites to host malware installation packages and implant Trojans into victims' devices [1, 3], and has used languages such as .NET, C++ , Go, and Delphi to develop malware, with a high level of overall immunity to kill in the attack samples.
GoldenEyeDog deployed fake software download websites, and then used different methods to lure victims to download and install its malicious programs. Since the fake websites are SEO optimized and made quite realistic, anyone who searches for a specific fake software is likely to download the fake malicious installer. Therefore, GoldenEyeDog's attack had an extremely wide impact on a wide range of industries in China, including Internet companies, securities, manufacturing, IT and other industries.
Overview of the incident
Recently, Qi'anxin Threat Intelligence Center found a malicious installation package disguised as Todesk in the course of daily analysis and operation. In addition to releasing Todesk installation software with normal signatures, the package will also covertly implant Winos4.0 remote control after running. According to the threat intelligence data of Qi'anxin, we found a large number of similar attack samples, including Trojanized Quicklink VPN and Paper Airplane software installation packages. In this attack, the "Silver Fox" Trojan combined with Winos4.0 Trojan to carry out remote control and stealing of secrets, with a new Shellcode backdoor and means to fight against antivirus software.
Detailed Analysis
Taking the Todesk installation package as an example, the attack process is as follows.
Watering hole website
When searching for "todsk" in the search engine, a Watering hole website hosting the malicious installer will appear in the search results. The attacker did SEO optimization on the site to make it appear on the first page of the search results.
Going to the Watering hole website directly displays a download page with a ZIP archive. The downloaded ZIP archive contains an MSI installation file.
Installation program
The basic information of the installation package file is as follows.
| - | - |
|---|---|
| MD5 | DA9AD73EEA3D71FF1F02A33F7FEA841C |
| File name | ToManually_Used_4.7.6.3_629871.msi |
| File Size | 116 MB (122187776 bytes) |
| Modification time | 2025-05-21 15:57:16 |
The sample first releases the malicious files build.exe and ToDesk_4.7.6.3_1740534685.exe in the sample installation directory, where ToDesk_4.7.6.3_1740534685.exe is the legal and regular ToDesk.exe installation package.
During the installation and execution process, it can be seen that customized operations are used to execute the legitimate ToDesk.exe installation package with administrator privileges to confuse the victim and hide the real attack behavior, and then the samples start executing the released build.exe.
Loader
The basic information of the malware build.exe is as follows.
| - | - |
|---|---|
| MD5 | 31594c105ab333325fa1e8a3b49b850084 |
| File name | build.exe |
| File size | 30.9 MB (32436920 bytes) |
| Last modified | 2025-05-20 22:18:16 |
| PDB Path | E:\c++\leishensdk_netbar\bin\Release\updater.pdb |
| Sandbox report link | https://sandbox.ti.qianxin.com/sandbox/page/detail?type=file&id=AZcKmQN5SZq0HOVfqW40 |
build.exe is written in C++ and has a size of more than 30MB. Casting it into the cloud sandbox will help to quickly analyze its malicious behavior. Its genetic profile shows key behaviors such as networking behavior, unleashing execution, powershell, and more.
Threat intelligence shows that 120.89.71.226 is a malicious Trojan C2 site.
Behavioral anomalies summarize the suspicious behavior of the sample. The entries on the right with down arrow symbols can be expanded for details, or click Expand All to see details.
Expanding the Creation of Suspicious Processes, we can see that it mainly uses cmd.exe in combination with powershell to perform some malicious operations and finally creates the system process svchost.exe.
Then delete the executed updated.ps1.
Expand "Execute some HTTP requests" to see access to some remote resources on Amazon and Tencent Cloud .
Expanding "Create executable on the filesystem" shows the release of some executed .ps1 files, as well as insttect.exe, Microsoft.dll, and monitor.bat in the same directory.
The process information of the host behavior shows that build.exe will run powershell to add the root directory of the C drive to the exclusion directory of the windows defender antivirus, and then execute the released file "C:\Users\admin\AppData\Local\insttect. exe". exe" file. And use cmd.exe to call regsvr32 to register the file "C:\Users\admin\AppData\Roaming\Microsoft\Microsoft.dll" and execute "C:\\Users\admin\AppData\Local\insttect. Users\admin\AppData\Local\Temp\monitor.bat" file, followed by "C:\Users\admin\AppData\Local\updated.ps1" file. file.
The network behavior showed that the sample accessed ports 8852, 9090, 18852 and 18853 of the malicious site 120.89.71.226.
Based on the information provided by the Qi'anxin Intelligence Sandbox, we have a preliminary understanding of the sample: after execution, the EXE file adds the root directory of the C drive to the exclusion directory of the antivirus via Powershell and releases the execution of "C:\Users\admin\AppData\Local\insttect.exe ", as well as using cmd.exe to call regsvr32 to register the execution of the file "C:\Users\admin\AppData\Roaming\Microsoft\Microsoft.dll" and execute the file "C:\Users\admin\AppData\Local\Temp\monitor.bat" file to finally access C2:120.89.71.226 on ports 8852, 9090, 18852, 18853. its added to the antivirus exclusion directory. and the final access to C2 ports are basically the same as the behavior of the "Silver Fox" family of Trojans that we are familiar with.
Now let's analyze some important files in the execution process. First of all, the insttect.exe is executed at the beginning, which hides the malicious code in many normal codes, and its function is to load the Single.ini file in the same directory and apply for executable memory space.
The executed Shellcode completes the DLL loading process in memory and calls the DLL's export function VFPower to execute it.
The DLL's export function VFPower uses OLLVM's custom obfuscation to dynamically split the function address by adding or subtracting immediate numbers, making it impossible for decompilation tools to analyze statically.
The function of this DLL is mainly to fight against a domestic security product. When this security product exists, it modifies the TCP connection table to block its cloud-checking function.
Then look at updated.ps1, which was deleted after execution. Its function is to disguise itself as a legitimate Windows task by using the XML configuration in "C:\Users\admin\AppData\Local\PolicyManagement.xml". NET Framework NGEN vTie to register a scheduled task called .
The contents of the PolicyManagement.xml file are shown below. Its function is to create a task schedule that will be executed 30 seconds after the user logs in to the "C:\Users\admin\AppData\Local\insttect.exe " file.
In addition monitor.bat, whose file contents are shown below, monitors the process pid identifier in the target.pid file, waits for it to terminate, and if it does, registers Microsoft.dll using regsvr32.exe, which checks it every 15 seconds. This is to ensure that Microsoft.dll continues to run, adding a resurrection mechanism for it.
Backdoor Trojans
regsvr32.exe registers to execute Microsoft.dll, first it creates a mutex "VUQNWMSABVWQH", then it determines whether the mutex already exists, if it exists, and if the file temp.aps exists in the same directory, then it loads the file Config2.ini, otherwise it loads Config2.ini, and then it loads Config2.ini. ini in the same directory, otherwise, load Config.ini.
Config2.ini is actually a piece of Shellcode that loads PE files, and the export function name of the DLL file it loads is also "VFPower", what's more interesting is that its related pdb path has not been removed, and it is said that it is a Trojan Horse of Punching and a backdoor of Shellcode . .
Creating the mutex "VJANCAVESU223f" guarantees a unique run, and then access to the backdoor.
The backdoor is executed by downloading Shellcode via 43.226.125.17:443.
Config.ini is also a piece of Shellcode that loads a PE file with the same exported function name of the DLL file "VFPower" and creates a mutex named "zhuxianlu".
Its main functions include creating threads, calling Powershell to execute the commands for the above cloud sandbox analysis, adding task schedules, and so on.
This includes monitor.bat which performs the above sandbox host behavior analysis.
Downloaded via 120.89.71.226:18852 for subsequent Shellcode execution.
After several downloads and memory loads, the final memory-loaded DLL first decrypts the C2 information 120.89.71.226, and ports 9090, 9091, 9092, and then communicates with the C2 port 9090 to get the relevant configuration information to be written into the "HKEY_CURRENT_USER\Console \0" in the "HKEY_CURRENT_USER\Console" registry. Its PDB path is "C:\Users\Administrator\Desktop\Quick4\Main Plugin\Release\Upload Module.pdb".
Subsequently, it collects information related to the local machine and uploads it to C2, downloads the final stage of Shellcode and executes it, and continuously communicates with C2. The final Trojan horse downloaded is the widely circulated blackmail tool Trojan Winos 4.0, which creates and injects the system process svchost.exe for execution. The Trojan horse in the "'Silver Fox' ravage, Qi'anxinintelligence sandbox to help identify" [4] a detailed analysis of the article, the relevant remote control commands have also been given, and will not be repeated here.
The Traceability Correlation
In November last year, "GoldenEyeDog gang recent activity tracking" [5] article we have disclosed a large number of GoldenEyeDog use "Silverfox" class Trojan horse attack case, which imitates all kinds of popular software download page set up puddles, use common "Silverfox" class Trojan horse with Winos It imitates various popular software download pages to set up puddles, and uses the common "Silver Fox" class Trojan with Winos4.0 Trojan for stealing secrets and remote control. From the captured samples, its self-developed backdoor has a high degree of reusability, and it can be used by simply replacing the C2 address.
Summary
The GoldenEyeDog gang is one of the hacker organizations with the highest attack frequency in China in recent years, and its business covers remote control, mining, DDoS and traffic-related activities. Based on the analysis of Qi'anxin's threat radar, since 2022, the gang has been building puddle websites by imitating popular software download pages, using SEO optimization to boost click-through rates, and inducing users to download malware. Lowering the victim's vigilance, once the user downloads and runs the malicious application, the machine will be implanted with malicious code, leading to information leakage or system control.
Protection Recommendations
Qi'anxin Threat Intelligence Center reminds users to beware of phishing attacks, do not open links from unknown sources shared on social media, do not click on email attachments from unknown sources, do not run unknown files with exaggerated titles, and do not install apps from informal sources, so as to back up important files in a timely manner and update and install patches.
If you need to run or install apps from unknown sources, you can first use the Qi'anxin Threat Intelligence File Depth Analysis Platform (https://sandbox.ti.qianxin.com/sandbox/page) to identify them. Currently, it supports in-depth analysis of files in various formats, including Windows and Android platforms.
At present, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including the Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, and so on, already support the accurate detection of such attacks.
IOC
MD5
fcd3e77e71977c3a12b4f6508ffe21b4
9e72903fc8e0e028aa181acd64b701a0
fa62fa418888f896af1b6194d01360b8
2d1f5a2c32172820cc95f28815058bf0
6b6b099a82f4b49f9cf262d7a3ba2a52
b331d84df0eae1d9cfe53800ca974db4
7afaf7619cf0f8085ec590f26beaa9af
a413e74da935c2fb6b7e26c7dfadd9ec
096aa3ef6a91a94bb90b026ef01ae872
af347beff0b595a61530e04bbb426e1d
C&C
(Watering Hole Website)
https://tt.opwejg.cn/top
(Trojan horse built-in C2)
43.226.125.17:443
103.46.185.44:443
3.170.217.52:443
120.89.71.226:9090, 9091, 18852, 18853
134.122.207.5:9090, 9091, 18852, 18853
27.124.4.150: 46097
103.46.185.44:443
154.91.64.224:45
143.92.60.116:25448
kln.lefp8nhk.com
Reference Links
[1]. https://ti.qianxin.com/blog/articles/operation-dragon-breath-(apt-q-27)-dimensionality-reduction-blow-to-the-gambling-industry/
[2]. https://ti.qianxin.com/blog/articles/operation-dragon-dance-the-sword-of-damocles-hanging-over-the-gaming-industry/
[3]. https://mp.weixin.qq.com/s/b-0Gv_l-nnks-RnSdXBFBw
[4]. https://mp.weixin.qq.com/s/fZs-0mvk15Cime6IKysyvw
[5]. https://ti.qianxin.com/blog/articles/tracking-the-recent-activities-of-the-apt-q-27-cn/