Overview
CNC group has a South Asian background, named by a friend of the group, the group's early actions and Patchwork share the same github repository, in a long time we have been tracking it as Patchwork, in the last two years observed that the group is only targeting domestic teachers and students engaged in scientific research and institutions, the subsequent plug-ins have begun to be modular and customized, and the effect of no-kill is significantly Higher than other APT group in South Asia, it is worthwhile for us to systematically disclose it.Operation sea elephant aims to spy on our scientific research achievements in the field of ocean to ensure the dominance of a certain country in South Asia in the Indian Ocean.
In mid-2024 we discovered the South Asian direction attack collection numbered UTG-Q-011, which, despite the fact that the collection's subsequent plug-ins differed too much from the CNC, had the same backdoor and the same codebase as used by the CNC group, and ultimately treated UTG-Q-011 as a subset of the CNC for the purpose of research. This paper concludes with disclosures on this topic.
This paper is only as a security research, we don't focus on the initial sample load, and we mainly disclose the undisclosed plug-ins and espionage purposes of CNC group, Skyrocket can check and kill all their backdoors and plug-ins, and we recommend our customers such as scientific research, universities and so on, to enable cloud checking to discover the unknown threats.
Plug-in Introduction
The CNC group mainly delivers spear emails to target researchers or units to gain initial access, and then controls the IM software (WeChat, QQ) of the target personnel and sends bait programs for the Win platform to colleagues, teachers and students to make lateral movements. The attacker will customize the plug-in when it is distributed according to the current antivirus on the controlled machine. For example, we have observed the CNC group releasing a backdoor program named qaxreporter.exe in the AppData\roaming\QAXSecurityReporter\ directory and creating a scheduled task named "QI-ANXIN Security Task" for this backdoor. The plug-ins will be categorized and disclosed one by one according to their functionality below.
remote command execution backdoor (RCE backdoor)
The attackers designed two plug-ins that are only used to execute CMD commands, with file names typically windowassistance.exe, HuaweiHiSuiteService64.exe, mscleanup64.exe, and konlinesetupupdate_xa.exe.
Type I
Read command information from github.
https://raw.githubusercontent.com/kkrightjack/controlid/main/feed.json gets packets in two formats, one starting with juiop-drt!
The other starts with tuiju-opu!
CMD results are uploaded to the attacker's C2 server.
Type II
Communication with a remote server is achieved through a third-party ssl library, which is used to execute CMD commands.
The latest version of this type of plugin will first get the local information spliced into user_agent and then send a post request to port 443 of C2.
Then connect back to port 4545 of the C2 for cmd interaction.
Github API Tema
Trojan name is named windowsfilters.exe, through the Github API instead of offshore VPS to achieve remote control of the target machine, after the startup will first collect the device uuid and username, encrypted and written to C:\Users\Administrator\AppData\Local\Microsoft\ Windows\INetCookies\.WebDecodedCache file.
The file /repos/SalmonQt/Webdriver/contents/Ameroyt2dstg.txt will be requested via the github api.
What is returned after the request is as follows:
According to the return content content field base64 decryption, the content of the file for the list of victims, to determine whether they are on the list, if not, then upload themselves to the list.
The github api is also used to fetch the contents of the file Filgwru5va.txt as a directive.
The file returns the following:
where the directive is the base64 decryption of the content field, which is a json structure, as follows:
The first part is to victimize the machine's uuid, will detect the current device's uuid and whether it is the same, if it is the same before the implementation of the second part of the command, the command contains a list of the contents of the specified folder, the current screen shots, cmd commands such as the implementation of the remote control of common functions.
USB flash drive propagation plug-in
The file name is YoudaoGui.exe, and it will first visit www.163.com to check if the network is available.
After that the execution logic will be chosen based on the path where the Trojan itself is located:
- Under the appdata\roaming folder
If the Trojan is in the appdata\roaming folder, it will carry out its propagation logic, first looping through to detect if the victim device has mounted a new drive (e.g. inserted a USB stick)
Detects if a file named "private.png.exe" exists on the drive, and if it does not, copies itself as "private.png.exe" to the new drive to realize the propagation function.
After copying is complete the results will be echoed back to C2: https://185.140.12.224/licenseAdministrator/discover.xml, after which it will traverse the files under the new drive, copying the traversed files with the suffixes doc and ppt to the appdata\roaming\ AdbRc folder.
- The Trojan is not in the appdata\roaming folder
According to the logic of the first scenario, the Trojan starts as a "private.png" file if it is not in the appdata\roaming folder, and the Trojan will first load an image from its own resources to disguise itself.
The image used for camouflage is below:
After that, it will get the second stage Trojan srclogsys.exe from C2: https://185.140.12.224/.vendor/git/srclog and put the obtained Trojan in the AppData\Roaming folder.
A scheduled task will be created for it after successful acquisition.
Then it will get the device process information and upload it as a logo to C2: https://185.140.12.224/logindex.php?q=ascii, from the content of the url, it seems that the purpose of this step is to bring the device on line from the console.
Create a cmd process to start srclogsys.exe when you come online.
Finally, it enters the remote control logic, which continuously fetches the content posted by the malicious github account kkrightjack as commands and executes them via cmd.
Keylogger plugin
The file name is sogou_pinyinupdater.exe, saves the victim's keystrokes in plaintext in C:\Users\Administrator\AppData\Local\SogouPinyinInput.suggestions_kaomoji.
File Stealer plugin
CNC has a variety of solutions for steganographic plugin design, with different plugin logic for each data theft, where there are also steganographic plugins customized for specific targets.
Type I
The file name is tericerit.exe, and the steganography plug-in hardcodes the target directory in the victim terminal:
The main function is to write the list of all the files under the path to the ext file in the same directory, then it will copy the doc files under the directory and its subdirectories to the zD1Leno51 directory and encrypt and pack them.
Afterwards, it is uploaded to the C2 server via the SFTP protocol, and the remote server receives the file and immediately passes it away and destroys it, and sets restricted permissions on the user who logs on.
Type II
The file name is filecoauthx86.exe, which creates the scheduled task VerifiedPublisherCertCheck.
If it is not in the C drive directory, it iterates through all files on the drive letter where it is located:
Also check if backuplog_2024.txt exists, if it doesn't then start the downloader logic to download the above remote command execution backdoor-type II (MScleanup64.exe), the purpose of downloading this payload should be to steal the collected files.
Type III
In this case the attacker will place files named aliyun_updater64.exe (collect files) and CacheStore.exe (transfer files).
The aliyun_updater64.exe will be executed first, and will first determine if CacheStore.exe exists in the specified directory C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches.
If so, create the CacheStore.exe process directly with a fixed folder path C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115- DFE92379E91F}.3.ver0xY.
After that, you will visit https://aliyunconsole.com/alcloud/dgyx-4121-Firnsnxywfytw to download cversions.dgyx-4121-Firnsnxywfytw.db to C:\Users\Administrator\ AppData\Local\Microsoft\Windows\Caches folder.
The content is a path predefined by the attacker, which will collect the files under that path, first reading cversions.dgyx-4121-Firnsnxywfytw.db.
Iterate through the files according to the read paths.
The searched files are compared for suffixes, and only files with the specified suffix and content greater than 40960 are collected.
The specified suffix is as follows, parsed through BASE64 encoding.
If the file meets the requirements, copy it to the folder Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0xkNGCDCY^XK^EX.
Finally the URL https://aliyunconsole.com/product/VectorRetrievalService/dashvector will be accessed to get CacheStore.exe and start the.
CacheStore.exe is a file upload plugin that functions by taking a command line argument as the specified folder path and uploading the files under the folder to C2: 2.58.15.28:8090.
Determination to dominate the Indian Ocean
In recent years, a South Asian country has demonstrated its determination to dominate the Indian Ocean by establishing a dominant position in the region and treating it as a strategic backyard, deepening strategic cooperation among South Asian countries and promoting regional economic and security initiatives. But Operation Sea Elephant seems to demonstrate that the country's actual scientific research capacity is far from keeping pace with its grandiose vision, as shown by the following desensitized documents stolen by the CNC group:
| - | - |
|---|---|
| File or directory | |
| XXXXX Inner Wave Water Transport/ | |
| May 4 Competition/ | |
| Study on the geological factors of ocean sequestration XXXXXXXX/ | |
| transient responses-20240911.docx | |
| The second half of the XXXX project node assessment project acceptance related key issues meeting pptXX version.docx | |
| XXXX - Technical Collaboration Project on Fault Diagnosis and Health Management System for Hydraulic Headsets XXXX XXXX XXXX XXXX XXXX XXXX.docx | |
| XXX海实验室关于组织申报2024年XXXXXXXXXXXXX项目计划的通知.doc | |
| XX Small car and supporting model machining - design manual XXXXXX.docx | |
| reviewform.doc | |
| China Sea Ranch Industry XXXXXXXXXX: Marine Emerging Industry XXXXXXXXXX.doc | |
| XXXX-final-safety science-title page (XXXXXXXXXX).docx | |
| Ocean Carbon Sequestration XXXXX Study.docx | |
| Ocean Earth XXX Thesis Quality XXX.pdf | |
| Work Report 0816-XXX.pptx | |
| ...... |
Although the Win platform is full of conclusive scientific research documents and does not contain production data, it can still be used as an important reference for foreign intelligence organizations to spy on the progress and technical direction of our projects. However, these documents can still be used as an important reference basis for foreign intelligence organizations to spy on the progress and technical direction of our projects. By analyzing these documents, they can speculate on the technical strength of our scientific research team, resource allocation and future strategic layout.
As we mentioned in Operation Veles [1], scientific research and production data such as source codes and experimental data of various stages are usually stored in linux server clusters, UTG-Q-008 can only be successfully stolen by years of accumulation and massive network resources, which is not an easy task for other groups. Higher confidentiality research projects are completely closed in the isolation network, but the world can penetrate the network gate and other equipment APT groups only a few, security vendors and the lack of this part of the vision, so a long time in the future in the field of science and education in the APT groups will still focus on the Win platform.
UTG-Q-011
The UTG-Q-011 initial payload was released in the same resume decoy format, targeting areas such as laser science and aerospace for espionage.
Two downloaders of the same origin released two types of Trojans, with 0 checks on VT:
Communicates with C2 via SSL protocol to receive messages.
And the received information is used as an instruction to execute the corresponding function, and its instruction corresponds to the function as follows:
case 0: create the specified process
case 1: Change own working directory
case 2: End the connection and exit the Trojan
case 4: Read the contents of the specified file
case 5: Terminate existing connection and connect to the new C2 being issued
case 6: no function
case 7: collection of designated documents
First the C:\Users\Administrator\AppData\Local\msedgeCache folder will be created.
This function is expected to receive a command consisting of a combination of three segments, each wrapped in parentheses, with the format of the command matched by the regular expression it creates.
It collects files by adding the specified files to a zip archive under the msedgeCache folder. The three parts of the command that are inferred from its function are: the name of the zip archive to be generated, the files to be added to the archive, and the zip archive password.
The add zip function is implemented by the Chilkat library:
The second trojan is logically similar to the CNC group's Remote Command Execution backdoor and is only used to execute cmd commands, using the same third-party ssl library files.
If no command is executed, the heartbeat packet ddd is issued.
The UTG-Q-011 follow-up is primarily an open-source plug-in that steals browser data and does not overlap with the sophisticated plug-ins of the CNC gang.
summarize
Currently, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including the Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness, already support the accurate detection of such attacks.
IOC
CNC Group
C2:
aliyunconsole.com
45.86.162.79:443
185.140.12.224:443
2.58.15.28:8090
sftp:
45.86.162.125:52736
185.243.112.79:52736
MD5:
5c0d12de7c0dd7979ca5db3cad72688a
c5ed8776b63b698697fa6b22303bda2a
cfcd28199e448f35efe37c06c5da5565
d1737521c7c34c8a939e2eb3ec8ba53b
d7b8d909bfa3114abb3fa1c51875a084
e817f716f88bf628414659e3e6183aeb
bb2ca4f8eb95053dd450d58b335919c1
UTG-Q-011
MD5:
e65c3eeee6ba96ab7b72929ab53635a7
f3680b43abf218a16e58d991e54a6eee
54794189acbbfaf658bc5fd40b9a38dd
a2dd9a2fbb80a1b39c10c31870d7275f
0c23562c6208b080ac0b698215529a62
C2:
https://66.85.26.161:443/csgdyhfywhefdj/gdydfhasc/chsgdjc.pdf
https://66.85.26.161:443/csgdyhfywhefdj/gdydfhasc/qgtopl.exe
https://192.52.166.252/cgyusdft/whfgujfg/calc.exe
https://192.52.166.252/cgyusdft/whfgujfg/tt.pdf
45.56.162.111:443
23.152.0.99:443
Reference Links
[1]. https://ti.qianxin.com/blog/articles/Operation-Veles-Decade-Long-Espionage-Targeting-the-Global-Research-and-Education-Sector- CN/