Background
During the terminal operation, the Qi'anxin Threat Intelligence Center discovered a large-scale overseas hacker group that was able to hijack victims' Google search content and e-commerce links and other malicious behaviors. Based on PDNS data, it was found that the group has been active since 2021, and the malicious domain name is on the top of OPENDNS. In the 1m list, there are at least millions of terminals affected worldwide.
| - | - |
|---|---|
| URL | Active time |
| overbridgenet.com/jsv2/offer_combo_v6 | 2021-05-10 to 2023-04-15 |
| overbridgenet.com/jsv8/offer | 2023-05-24 to present |
The related domain names also have a large number of visits in China:
We found a malicious plugin in the browser and named it "Ghost Extension".
Attackers bypassed Google CSP mechanism, when using Google search, js will be injected into the page. The screenshot before injection is as follows :
The results after injection are as follows:
The Google search page loads additional js and displays the results pushed by the attacker at the top. In addition to controlling the search results, another js is injected when the victim visits any page to track the victim's access habits and trajectory. When the victim visits an e-commerce website , the malicious js will obtain a new domain name from overbridgenet.com/jsv8/offer to hijack the jump link in the current page .
The IP resolved by overbridgenet.com is 5.223.52.27 . There are multiple suspicious domain names under this IP, and the traffic is very large.
Based on the VT data, a large number of URLs can be seen. The fields of the URLs are consistent with the fields spliced above, but the order is different. Therefore, these URLs are hijacked links spliced by malicious js. It is observed that the hijacked URLs have some web login pages.
Currently, the hijacked link only has a jump function, and the hijacking logic is controlled by the attacker in the cloud. In theory, it can be customized to hijack a specific website, and even a man-in-the-middle hijack can be performed to obtain the account and password of the login page.
Impact
Based on PDNS data, we have counted the domestic victims affected by malicious plug-ins :
When Google search results are hijacked, svdred.com and xerogala.com will be visited . Then the actual number of domestic victims who have been successfully hijacked can be counted:
Technical Details
With such a large-scale victimization, there may be more than one attack path. Based on the terminal data, we observed that the malicious plug-in was hidden in the cracked installation package, as follows:
The attacker uploads a fake installation package like this to some cracked software download sites, waiting for the victim to download it. After the victim clicks it, a series of malicious components will be released under C:\Users\Public\data.
Some of the components will first be released to the C:\Windows\System32 folder.
Afterwards mdwslp Complete the transition of these components from Windows\System32 to Users\Public\data.
After release, it will be executed sc create XblGame binPath = "C:\Users\Public\data\mdwslp.exe" start= auto command to register the mdwslp component as a service and then start the service.
mdwslp.exe
This component is responsible for the initialization of the entire malicious web plug-in. First, it will determine whether the relevant components exist to determine whether the initialization has been completed.
Unzip Windows\System32\data1.zip to Public\data\ ext .
This part is the malicious web plug-in js Code.
Then it will loop to check if it exists Public\data\ uptimecrx.exe, if it does not exist, copy it from Windows\System32\uptimecrx.dat.
After copying, it will be used Sign it with Microsoft's official signature tool signtool.exe.
The specific signature created by the attacker.
Finally, register uptimecrx.exe as another service XblGame2 and start it.
uptimecrx.exe is updated every 10 hours.
Check if the flag file Public\data\up1.dat exists. If it exists, it means that it needs to be updated. Exit the loop. The update of this component is completed by uptimecrx.exe.
In addition, the component will cyclically detect whether the malicious DLL is injected into the target process.
If not detected, the injection tool will be called for injection.
This tool was previously released Windows\System32\ datax.dat, when called, a new file name will be randomly assigned to it and copied to AppData \Local\Temp\ xtdbf Under the folder.
Then use --install/-- uploaddll Start the tool with the following parameters:
uptimecrx.exe
This component is used to update and persist mdwslp.exe , loop to detect whether mdwslp.exe exists, if not, copy it from Windows\System32\mi_nt_svc.dat , re-register the service and start it.
Detect services registered by mdwslp.exe XblGame Is it stopped? If so, restart it.
The flag file Public\data\up1.dat is used to detect whether mdwslp.exe needs to be updated. It is still updated by copying Windows\System32\mi_nt_svc.dat and re-signing it. After the update is completed, the service is registered and started.
datax.dat
This component is a DLL injection tool. Its main function is to inject the malicious ntdb.dll into the target process.
Depending on the parameters, the target process of injection is as follows:
- -- install: Inject into the explorer process;
- -- browser_chrome: Inject into the chrome process;
- -- browser_msedge: Inject into msedge process;
- -- uploaddll: Get the new payload from Windows\System32\ntdb.dat DLL and re-sign it.
ntdb.dll
This component is used to load malicious web plug-ins, First determine whether you are In the explorer.exe, chrome.exe, msedge.exe process, if not , terminate the operation.
If it is in chrome.exe or msedge.exe , hook Related dll In ChromeMain function.
And hook related event functions.
If in the explorer.exe process, the browser will be started with parameters such as --load-extension to load malicious web plug-ins.
The malicious plugin path is specified as Users\Public\data\ ext.
After startup, it will inject itself into the browser process.
EXT (browser plugin)
If the malicious plug-in is loaded successfully, the browser extension bar will display a blank page.
Details are as follows:
manifest.json
Defining related js Scope of action, service_worker.js is the background service worker process.
content_script.js will be in url Loaded when matching search engine related.
disabled-trusted-types.js is loaded anytime.
After that, some miscellaneous items are defined, including version information, update links, etc.
content_script.js
Get Current uuid Passed to web_accessible_resource.js and loaded.
web_accessible_resource.js
First, do a simple url Test, after successful test, it will request calnor.info js And inject it into the current page.
according to manifest.json The rules in the , will be loaded when accessing Google search js, you can see the return of calnor.info js Already appears in the webpage source code.
disabled-trusted-types.js
Disable the browser's XSS protection strategy.
service_worker.js
Should js It is a background service process that runs when the extension is started. It first registers an installation event listener, which is executed when the extension is first installed.
First get one from klymos.info uuid : trackInstall.
Register the client ID and send a message about the event to dash.zintrack.com : sendApiRequest.
The domain is a lightweight alternative to Google Analytics , and the attacker registered their own The api key is used to count victims.
Set the domain name to receive messages when the extension is uninstalled dash.zintrack.com: setUninstallURL.
After that, a timer will be set to update the rules every once in a while.
The rules are still obtained from klymos.info and applied to the network request interception of the extension.
The obtained rules are as follows. Their function is to remove security policies such as content-security-policy and X- Xss -Protection from network requests of some search websites.
Register timer update- rc Used to obtain remote code.
fetchRemoteCode Used to obtain from infird.com js Code.
Register for tab update events. Whenever a user creates a new browser tab, the remote js The code is loaded into the current page. If the current page url If it is in the blacklist , it will not be loaded.
When a user visits any web page that is not in the blacklist , the js Loaded into the web page source.
Finally, a page_view Event, which indicates that the victim has loaded service_worker.js.
This information is sent to Google 's web analytics service: www.google-analytics.com, where the attacker registered his API, probably used to count victims.
remote code.js
Should js The remote is obtained from infird.com js The file is loaded when the user opens a new web page ( adds a new tab ) . Its malicious logic is controlled by several limited-time cookies set by the attacker.
First, the current page url Strict filtering will be performed, and most pornographic websites, social media, search engines, etc. will be stopped.
url If the following fields exist, execution will also be stopped. It can be seen that the attacker is avoiding high-volume scenarios, which may be used to hide himself.
If it passes the filter, a timer is set every 20000 ms Perform the corresponding operation.
During the initialization phase, check whether the corresponding cookie item exists. If it exists, stop execution and clear the timer.
Lda_aKUr6BGRn is the URL used by the attacker to redirect. When it is empty, a new URL will be obtained from overbridgenet.com to fill it in.
overbridgenet.com will return a json File, where the at item is used to fill Lda_aKUr6BGRn, in actual debugging, this page only returns the format of {"s":1,"n":1} json File, the attacker may filter the target before filling in the at item at a specific time to attack.
If n = 1, perf_dv6Tr4n The item will be created and filled with 1. The c item in json is the cookie expiration time, which is used to control the js Should the file continue to execute? ( returned when perf_dv6Tr4n = 1 during initialization ).
Since the actual debugging json If the file does not have item c , the cookie will not expire.
If the Lda_aKUr6BGRn item is filled, it proceeds to the next stage of filtering:
1. Current url For a specified e-commerce website and Ac_aqK8DtrDL is empty.
Performing a link replacement operation.
First, a click event listener is created. When the user clicks on an element with a specified tag on the page, the user is hijacked and redirected to the link specified by the attacker.
The new link is spliced from Lda_aKUr6BGRn . The new link may be used by attackers for phishing.
2. Current url It is not an e-commerce website and Lda_aKUr6BGRn is not empty and Ac_aqK8DtrDL is empty.
Hijack the entire page to the attacker's link, set Ac_aqK8DtrDL to 1, Ac_aqK8DtrDS For counting.
3. Ac_aqK8DtrDL is not empty and Fm_kZf8ZQvmX is empty.
Create a new iframe, src The item is set to the attacker's link, set its style and insert it into the current page content, and finally set Fm_kZf8ZQvmX to 1.
calnor.js
Should js Obtained from calnor.info js Code, used by attackers to intercept related manifest.json The web page in the rule and inject it into.
It mainly targets search engines such as Google . Attackers can replace the content of the user's search page. First, it will detect whether the current page has tags set by the attacker. mdorkirgneorpowtn.
If it exists, send the relevant tag data to svdred.com , if it does not exist, send global.
Similarly, it detects whether the page contains other elements and sends the corresponding data of the elements to svdred.com . These elements do not exist on the normal Google search page and are set by the attacker. They are detected to remove duplicate execution.
For this js, which will insert elements into the current page after execution mdorkirgneorpowtn.
For all the above elements, execution will be terminated after detection to avoid different components affecting each other.
After passing the test, first set mdorkirgneorpowtn The value is a=4001&u=0106-20250304-ORG.
The attacker will avoid executing this component in some search modes, such as user searches for pictures and shopping, and only distinguish and send different types of information to xerogala.com based on the search content, and then terminate the execution.
A meta element called referrer will then be added to the page head.
Then enter the replacement logic, first get the search content, create a new style element and set the style.
Splicing based on the obtained search content url Request, send to xerogala.com and get the return data.
After processing the returned data, fill it into the element sadsfs Insert into the current page.
Its function is to insert the search results replaced by the attacker at the beginning of the search page. The following is the result after the victim searches. You can see that the first few search results are replaced.
Normal users’ search results do not include the initial content.
Through the debugging page, we can see that the content inserted by the attacker is sadsfs Elements, which in most cases are advertising content.
Summarize
At present, the full range of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform (TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situation Awareness, etc., already support accurate detection of such attacks.
IOC
C2 :
calnor.info
klymos.info
infird.com
overbridgenet.com
infirc.com
xerogala.com
svdred.com
cachedclr.com
MD5:
40210f065e82d06b364f56c9ab4efdcd
a4aa475e2309f05ac83d8289b4604cbd
1c6271c9bd6281b06965ca780b292e65
ebee140bdb9f1f80597cdea66860e1b6