返回 TI 主页
Operation South Star: 0-day Espionage Campaign Targeting Domestic Mobile Phones

By 红雨滴团队 | 事件追踪

Overview

In recent years, during high-intensity confrontations with Advanced Persistent Threat (APT) groups from the Northeast Asia region, the RedDrip team at QiAnXin Threat Intelligence Center has discovered nearly 20 0day vulnerabilities involving domestic software. Some details have been disclosed in our public reports such as Operation DevilTiger[1], Operation ShadowTiger[2], and XSS 0day+Clickonce[3]. In reality, 0day activities originating from the Northeast Asia region extend far beyond the endpoint side. We have captured multiple 0day attacks targeting Android email clients, whose technical level has reached 1-click, and it is likely the attackers have already mastered 0-click capabilities similar to "Triangulation."

In fact, the IOCs related to these nearly 20 0day attacks cover multiple industry-named groups, with significant overlaps between them. From our perspective, only a small number of these 0days (affecting IE, domestic browsers, Firefox, Foxmail, WPS) were used to target government and enterprise entities. The majority of the 0days were used to target North Korean individuals in the Northeast region and Chinese people in contact with them. This includes the mobile-side 0day incidents disclosed in this article, which are essentially espionage confrontations involving two countries and three parties in the Northeast region, belonging to a higher dimension of threat intelligence, and are unrelated to ordinary government, enterprise, or individual users. Operation South Star might also be an evidence collection activity under the MSMT cooperation framework[4].


Zipperdown In-the-Wild Exploitation

The ZipperDown vulnerability was first discovered by Pangu Lab in 2018. A large number of applications on the iOS and Android platforms use an open-source ZIP library. If developers do not verify the path, it will lead to a path traversal vulnerability, which can overwrite relevant application components and achieve a white-on-black effect.

From 2018 to the present, there have been no public reports showing that this vulnerability has been exploited in the wild by APT groups. The RedDrip team is the first security team in the world to disclose that the ZipperDown vulnerability has been exploited in the wild by APT groups. The relevant software has now fixed this vulnerability:

The attacker sends an email containing the exploit to the target's mobile email application. When the victim clicks on the email on their phone, ZipperDown is triggered instantly, unpacking a carefully crafted DAT file and releasing malicious SO and APK files to overwrite the target application components.

The email body mostly contains political news released by the Korean Rodong Sinmun, which we have previously disclosed[5]:


2022-2023 Payload

Attackers exploited a logic vulnerability in the IMG image processing of a certain email Android app version, carefully constructing a DAT file that meets the format, ultimately triggering Zipperdown to overwrite the app's related library files.

The APK overwrite path is as follows:

The SO overwrite path is as follows:

The logic of the APK is relatively simple, establishing a shell connection:

The SO file is a modified version of the normal library file libttmplayer_lite.so, retaining the normal video decoding function and inserting a downloader logic:

Using a specific UA to request the C2 server, obtaining the second-stage command and executing it:

It packages the SQLite libraries in the databases directory and transmits them to the C2 server using the toybox nc command. Because the normal library file is overwritten, the victim executes this downloader logic every time they subsequently start the APP, allowing the attacker to change the commands on the C2 at any time.


2024-2025 Payload

After 2024, the attackers replaced the payload of this weapon, with the new library name being libpanglearmor.so

The logic of the SO is a downloader:

It downloads the APK trojan from a remote server and loads it into memory. The AndroidManifest.xml file defines a background service with the entry point com.example.backservice.MainActivity

Its function is to execute BackClass().Register()

The BackClass class contains the C2

It regularly retrieves commands from "/command" and sends the command results to /result. During the initial registration, it visits "/victim" to obtain an identifier.

A thread is set up to regularly report the WIFI information connected to the device.

The command functions are as follows:

  • passive_interval: Set the interval for reporting WIFI information each time.

  • files_dir: Obtain the internal file directory ctx.getFilesDir
  • health: Heartbeat packet
  • active_interval: Set the interval for obtaining commands each time.

  • upload: Same as write
  • cache_dir: Obtain the cache directory ctx.getCacheDir
  • permission: Check permissions

  • c2: Set a new C2

  • ls: List file information under the specified folder

  • echo: Echo.
  • exec: Executes a new process.

  • read: Functionally the same as download.
  • time: Gets the current time.
  • wifi: Gets the device's connected WIFI information.
  • shell: Functionally the same as reverse_shell.write: Write to a file

  • external_files_dir: Obtain the external file directory ctx.getExternalFilesDir
  • packages: Obtain information about the applications installed on the device

  • download: Read a file and encode it as base64

  • reverse_shell: Start a reverse shell to the specified IP

  • nothing: Return ok

Email Structure Vulnerability

In 2024, we captured a more complex code injection vulnerability. Victims only need to click on the malicious email in the mobile app to trigger it. It still does not verify when parsing IMG images. The attackers constructed four images to close the malicious js code inserted into the email body, forming four lines of js.

The function is to find the first IMG image and insert it into the HTML of the body. The first IMG image contains js code encoded in base64. After insertion, it will run by default, thereby achieving the effect of executing arbitrary js code:

The method of implementing network requests in JS code is also to construct an IMG image and insert it into the HTML body. To directly access and read mobile phone files from the current js domain, the attackers found an internal interface that has never been publicly disclosed. The localfile field can read files from any directory. We do not understand why a software with hundreds of millions of users would have such a simple and brutal internal interface. It might be for R&D testing? In any case, the attackers have a very deep understanding of domestic software. Combined with the various triggering points of nearly 20 0-days, we even suspect that the attackers may have obtained the relevant source code.

https://app.XXXXX.XXX.com/?localfile=/data/data/com.XXXXXXX.mail/databases/XXXX

The attackers requested two files, one of which is the sqlite database. After parsing the relevant data, they obtained the target account's token.

The other is the app's XML configuration file, which contains the account's configuration information, including various keys.

Finally, the above data is encrypted with base64 and transmitted to the C2. The attackers can ultimately steal the user's login status, operate the account without a password, and access all emails, contacts, files, and other sensitive data.

The screenshot of the packet capture after triggering the 0-day in the Android emulator is as follows:


Summary

After years of high-intensity confrontation, these discovered 0-day espionage activities are likely just the tip of the iceberg in national-level cyber warfare, but they are already close to the limit that current security vendors can reach. Intelligence agencies of various countries are exploiting the weakness of the lack of widespread detection software on mobile devices, developing and acquiring related attack weapons on a large scale, severely damaging the interests of the target countries, and causing long-term irreversible damage in economic and political aspects.


IOC

Md5:

0942fbe13e4dca2b451bdf3c6c572078

724ae8064f2fc9c713e0388467c8d6b5

1c1ffd11069765779733dbf8b45015f1


Reference Links

[1] https://ti.qianxin.com/blog/articles/operation-deviltiger-0day-vulnerability-techniques-and-tactics-used-by-apt-q-12-disclosed-cn/

[2] https://ti.qianxin.com/blog/articles/the-tiger-of-the-forest-entrenched-on-foyan-mountain/

[3] https://ti.qianxin.com/blog/articles/clickonce-group-combines-0day-and-clickonce-technology-to-carry-out-espionage-activities-cn/

[4] https://msmt.info/Publications/detail/MSMT%20Report/4221

[5] https://mp.weixin.qq.com/s/5rDjDrfEZUsB1XAR-SvBtA

NORTHEAST ASIA APT 0DAY
首页
Operation South Star: 0-day Espionage Campaign Targeting Domestic Mobile Phones