background

Recently, Qi'anxin's Network Security Department and Threat Intelligence Center have observed multiple instances where R&D personnel from government and enterprise customers downloaded untrusted tools or installation packages from GitHub. This has led to the implantation of information-stealing or cryptocurrency mining software on development endpoints, potentially impacting core company data.

This article focuses on analyzing two hacker groups that have been exceptionally active lately. It is noteworthy that despite their relatively crude attack methods, the open and transparent nature of the GitHub platform provides excellent cover for these attackers, allowing their seemingly simple traps to continuously ensnare victims.

Water Curse Gang

This group has been disclosed by Trend Micro^[1] and named Water Curse. Domestic victims include security researchers and R&D engineers. The attackers are still frequently changing GitHub repositories to evade detection. GitHub repository links related to this campaign are as follows:

-	-
Git Link
https://github.com/mlisman6/tcg/releases/tag/releases

The malicious repository provides the SearchFilter tool

SearchFilter is a CEF-type software. The attacker chose to hide the malicious JS in the app.asar file , which will be loaded by the elevate.exe process during execution:

Its function is that of a downloader, fetching the next stage payload from the following three links:

-	-
ITW
http s://rlim.com/pred-FMoss/raw
https://paste.fo/raw/e79fba4f734e
https://pastejustit.com/raw/l6qsebqoqq

After multiple loading stages, the AsyncRat trojan is injected into RegAsm.exe, attempting to copy various credentials from the developer's endpoint, but this was blocked by TianQing. C2: 209.38.193.86:6650

Lucifer Gang

The group created a Git repository for the IDEA crack, along with Chinese cracking instructions:

Induce R&D personnel to download cracked programs.

-	-
Git Link
https://github.com/freewindsand/idea_pojie/releases/download/1.0/win_idea_Pojie.zip

install-current-user.vbs contains malicious code that launches a malicious jar program

The Jar functions as a downloader.

The downloader logic is still executed later:

When ideaxxx.exe fails to write to the environment variable, it releases java.exe and executes it. It writes the current date to a txt file and checks it repeatedly, possibly to delay and circumvent the sandbox. It then remotely pulls a payload, decrypts it in memory, and executes it.

The released WptsExtensions.dll hijacks the msdtc service and releases oci.dll

Oci.dll will download o.dat from the following URL:

-	-
Git Link
https://git.launchpad.net/freewindpet/plain/o.dat
https://github.com/freewindsand/pet/raw/refs/heads/main/o.dat
https://gitee.com/freewindsand/pet/raw/main/o.dat

Finally, the mining program is loaded into the memory, with multiple C2s built in:

• c3.wptask.cyou
• sky.wptask.cyou
• auto.c3pool.org
• auto.skypool.xyz
• 141.11.89.42:8443
• 45.147.51.78:995
• 45.130.22.219:995
• 129.226.111.80:33333

If adding environment variables to hijack the system service DLL fails, ideaxxx.exe will create a scheduled task to remotely execute the MSI and insert a malicious DLL into the customAction. The function is the same as above.

Summarize

At present, the full range of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform (TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, etc., already support accurate detection of such attacks.

IOC

Water Curse

MD5:

820adb8711e2170a8607b9b428bf33fb

C2:

209.38.193.86:6650

Lucifer Gang

MD5:

4d5e411d37d67dd867cfa58517f59b16

d85859c8540cadff8b360d96b9aeca3a

d1e6e6e2b2f73e30a9bf28daf605e275

c9ce544e66fdad83fe4c798bb5cfdfd5

a9974e36fab0f715c3235ad1dab6bea9

C2 :

c3.wptask.cyou

sky.wptask.cyou

auto.c3pool.org

auto.skypool.xyz

141.11.89.42:8443

45.147.51.78:995

45.130.22.219:995

129.226.111.80:33333

Reference Links

[1] https://trendmicro.com/en_us/research/25/f/water-curse.html