Overview
In December 2024, we disclosed the incident of CSDN and other top sites being mounted [1], and the attacker group behind it was named UTG-Q-015 by us. After the article was published, the group changed its previous common tactics and started to utilize 0day/Nday vulnerabilities to invade government and enterprise web sites, and enabled a group of scanning nodes to carry out blasting activities on government and enterprise targets in March. In April, we observed that UTG-Q-015 carried out large-scale puddle mounting behavior against blockchain websites, digital signature backend, bitcoin backend, gitlab backend and other web systems, affecting some government and enterprise customers, and at the same time, also invaded the financial institutions through IM phishing and C2 backlinked to the intranet web address to download the three-phase payload.
Whenever we talk about "Chinese-speaking attackers", our overseas partners always describe them as "CN-Nexus". In fact, Chinese-speaking attackers are all over East Asia and Southeast Asia. There are East Asian outsourcing players such as Operation EviLoong[2] and Operation Giant[3] who carry out high-level espionage activities for their own benefit. There are also professional teams like UTG-Q-015, which are located in Southeast Asia and provide penetration and intelligence services to Southeast Asian companies and institutions. These two types of attack teams are incompatible and even target each other. This is why UTG-Q-015 invaded several domestic programming forums last year. Its purpose was to counterattack and retaliate. On the surface, it is an "outsourcing war", but at a deeper level it is still a conflict between ideology and political stance.
We recommend our government and enterprise customers to enable cloud checking to discover unknown threats, and currently ASRock can check and kill this UTG-Q-015 weapon.
Scanning Blast Nodes
Based on Xlab data, UTG-Q-015 enabled a new batch of scanning nodes in March for blasting web servers open to the public in government and enterprises, and the scanning and blasting nodes account for the following:
After a successful blast releasing the Cobalt Strike backdoor and magically altering the nps tunnel, fscan was used to attempt lateral movement using the blasted passwords. By April this batch of nodes started exploiting Nday vulnerabilities such as CVE-2021-38647, CVE-2017-12611, and CVE-2017-9805.
Puddle campaign targeting blockchain sites
In April, based on alerts from SkyRock's "Liuhe" advanced threat defense engine, we observed that the victim downloaded the payload from the following address.
| - | - |
|---|---|
| URL | |
| hxxps://updategoogls.cc/tools.exe | |
| hxxps://safe-controls.oss-cn-hongkong.aliyuncs.com/res/tools.zip |
Troubleshooting revealed the Referer as follows:
| - | - |
|---|---|
| Referer | Site Content |
| https://www.ruleos.com | WEB3 Development Website |
| https://13.229.89.211 | The real IP corresponds to biodao.finance, the blockchain project. |
Based on Qi'anxin Global Hawk mapping data, more than a hundred websites were invaded and mounted.
The types of websites that have been mounted involve web3 type website homepage, bitcoin backend login page, e-signature management backend, gitlab login page, accounting for example below:
The embedded js code is as follows:
The victim visits the target page and then displays phishing to induce the target to download the update file:
UTG-Q-015 uses a new set of lightweight .net backdoors with command execution and file upload capabilities.
Subsequent paylaods issued are consistent with previous activities.
Targeted attacks against financial institutions
UTG-Q-015 in April against the financial unit in the course of the attack, the first through unknown web vulnerabilities to invade the target unit border server as a downloader springboard, followed by IM to the target unit personnel to drop "confidential XXXX.exe" bait file, memory loaded downloader built in the previous invasion of the same unit's web border server public network domain name and intranet IP to obtain the The third stage of the payload.
Attacks against AI components of Linux platforms
UTG-Q-015 generally use Xnote, Ghost, Vshell and other backdoors to control the target linux servers, and the targets in 2025 are mainly focused on the AI field. in February, the unauthorized vulnerability of the ComfyUI-Manager plug-in was used to send down a malicious model file [4], which eventually loaded Vshell, and we once again reminded the Guanji unit and friends to never open the ComfyUI component to the public network. it has been observed that offshore APT organizations use the unknown vulnerabilities of ComfyUI to open espionage activities.
CVE-2023-48022 was used to hack into domestic AI-related research servers back in April, bouncing the shell and then executing bash scripts and plugins with the same origin as above, eventually loading Vshell.
Summarize
Currently, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including the Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness, already support the accurate detection of such attacks.
IOC
FileHash-MD5:
c313868c3e3e470fc7dde07ebaac0a87
fb68d6affca239ba4f9315889fcf6d61
e9ab0bc9d47c84285b82b25834aeae03
53a83040fea6dbe2845747d69da6504e
e89a6d6a0ca026317456594211ccb007
C2:
updategoogls.cc
safe-controls.oss-cn-hongkong.aliyuncs.com
209.250.254.130:13389
Reference Links
[1] https://mp.weixin.qq.com/s/qQw1DXE25Gkz_P8pEPVaHg
[2] https://ti.qianxin.com/blog/articles/the-electronic-party-of-borderless-hackers/
[3] https://ti.qianxin.com/blog/articles/operation-giant-financial-storm-under-circuit-breaker-orders-cn/
[4] https://mp.weixin.qq.com/s/IPzuok7ej_ghTn59R9PRbA