Impact Scope
The RedDrip Team of QiAnXin Technology's Threat Intelligence Center, through its private intelligence production process, discovered that the Office Assistant software process, widely used in China, loads malicious components with legitimate signatures to deliver the Mltab browser plugin. This plugin collects user information and hijacks user traffic.
Office Assistant boasts a massive user base in China, utilizing AI to assist with daily office tasks. The Command and Control (C2) servers involved in this incident are all listed within the top 1 million domains on OpenDNS:
This incident has been active since at least May 2024, affecting nearly one million terminals in China over a period of approximately one and a half years:
The malicious browser plugin alone has been installed over 210,000 times and, as of now, has not been removed from the official Microsoft Edge add-on store:
Currently, Tianqing (QiAnXin's endpoint protection) can effectively detect and remove Mltab-related components:
Attack Vector
After a prolonged investigation, we confirmed that the latest version of Office Assistant, 3.1.10.1 (released 2024-05-28), contains a downloader logic in OfficeAid.Main.exe (function sub_4B4D60) that was not present in version 3.1.9.9 (2024-03-08):
This function first checks for virtual machine and debugging environments:
It then requests the C2 domain ofsd.fh67k.com and drops a malicious plugin named OfficeTeamAddin.dll in the %appdata%\Office\TeamAddin directory. Notably, the digital signature on this DLL differs from the official Office Assistant signature:
However, the PDB paths are somewhat similar. Multiple possibilities exist here; we merely state the facts:
D:\work\demo\office-team-addin\OfficeTeamAddin\x64\Release\OfficeTeamAddin.pdb
D:\work\OfficeAid8wps\bin\Release\OfficeAid.Main.pdb
This component loads OfficeTeam.Installer.dll from the %UserProfile%\AppData\Local\Temp\testdir directory.
OfficeTeam.Installer.dll creates a mutex named 917D735D-DFE5-4809-97C2-2C067D9D5F1C upon execution.
It connects to http://ofsg.fh67k.com to obtain a download link for the second-stage payload.
The decrypted data content is as follows:
It connects to the decrypted C2 to download the payload.
The downloaded payload is decrypted and loaded into memory.
The payload is logkit.dll, whose malicious behavior resides in the export function logkit_report. Its function is to deploy the final Mltab malicious browser plugin.
It first queries relevant registry keys to find installed browsers on the device.
It collects information and assembles it into a JSON format.
This JSON is encrypted and sent to C2: of2sg.fh67k.com.
After sending, it receives data from the C2. Decryption reveals a configuration file.
Based on the returned configuration file, the attacker adds their controlled domains to a whitelist. The following IOCs can be extracted from the whitelist content:
It parses the received configuration file and writes it into the browser's user profile. For the Edge browser, it modifies the Secure Preferences file. The modified Secure Preferences file shows the hijacked links:
It hijacks the startup page.
Finally, it selects and installs different Mltab malicious extension plugins based on the detected browser.
Targeted browsers include Edge, Chrome, QQ Browser, Sogou Browser, Lenovo Browser, and 2345 Browser.
After the plugin is loaded, it appears as follows, described as the "MadaoL Newtab" plugin:
We also observed another infection chain. However, as we could not consistently reproduce it, we did not save relevant screenshots. During a specific period, executing the retail installer directly installed the malicious extension from the Edge Add-ons Store via an internal interface, making it very stealthy.
Browser Plugin
background.js
Performs actions on initial install and update:
Generates user information:
Collects and uploads information, including user activity, usage patterns, visited websites, etc., for user behavior analysis:
On first run, fetches a rule configuration file from C2: api.g6ht.com. The rules are used to match links for hijacking:
Creates a right-click context menu item "Search with Baidu," which actually visits hijacked promotional links:
newtab.html
This HTML page is used to hijack the browser's new tab page, configured in manifest.json as chrome_url_overrides: newtab.
Its function is to load the myload.js file on the new page.
myload.js
Injects js/new_tab_page.js into the page.
new_tab_page.js
Loads https://cjrx.cjtab.com/count/count.html.
The count.html page is used to track user activity.
Page control functions, including hijacking user searches, images, text, hotlinks, etc.
Fetches replacement rules from d.giw36.com/down/MLNewtab.dat and replaces link content on pages based on these rules.
The fetched MLNewtab.dat configuration is as follows, hijacking most page content to attacker-controlled redirect links:
Fetches hot search links from pbl-api.cjtab.com/api/v1/hot_list, removes tracking parameters contained in the URLs, and replaces the website domain with the redirect links from the previous rules.
The hot_list content format is as follows:
The remaining code consists of page loading functions used to render a fake page layout incorporating the above functionalities. The page style is as follows:
It can be seen that relevant links have been replaced.
Summary
Currently, all products based on QiAnXin Threat Intelligence Center's threat intelligence data, including the QiAnXin Threat Intelligence Platform (TIP), Tianqing (Endpoint Security), Tianyan (Advanced Threat Detection System), QiAnXin NGSOC, and QiAnXin Situation Awareness Platform, support precise detection of such attacks.
IOC
Md5
11bf1232bfef7377916cf665a9524398
4cf6b6611ef61e114bdf697339972315
ebfa0f0a9c1fe1feeea166a6ff933d0b
5f421f404c7eb7d78a797031b0bd0e14
deb35616612fe2ba7b496cb290983ee0
feb7613b75e90c22c57a484acae15e1a
908959dd4ad7d7a5e677b0d4daa5c6a0
C2
sg-xj-1306567145.cos.ap-guangzhou.myqcloud.com
mltab-1306567145.cos.ap-guangzhou.myqcloud.com
fh67k.com
eybyyffs.com
gey87.com
fk6u1.com
hty73.com
rh6yd.com
djt86.com
n3yj6.com
3d5d6.com
k5jy8.com
h7np2.com
g8ht6.com
e78y.com
api.g6ht.com
cjtab.com
d.giw36.com