Introduction to Liuhe Engine
hackers have been using common Trojan frameworks such as Gh0st, WinOS , PlugX , Cobalt Strike, Sliver, and Havoc. To bypass detection by traditional terminal antivirus software and EDR, attackers often use technologies such as antivirus loaders and memory injection, and even spend a lot of money to digitally sign loaders to circumvent static feature detection and load common Trojans into memory without landing on disk . Although security vendors continue to disclose variants of these malicious codes [1], traditional feature detection methods are still unable to cope with increasingly complex antivirus methods.
So, is there a defense engine that can ignore external anti-killing techniques , directly detect malicious behavior in memory and issue accurate alerts?
Since its launch, TianQing's next-generation threat detection product, the "Liuhe" advanced threat defense engine, has significantly enhanced security teams' threat hunting capabilities. It has uncovered numerous fileless espionage campaigns targeting China by top foreign APT groups, including black market Trojans like Silver Fox (Gh0st) . Regardless of how attackers employ various evasive tactics or how many legitimate signatures they employ, users who purchase and deploy TianQing's "Liuhe" module can achieve default interception, effectively blocking common Trojan attacks.
Silver Fox ( Gh0st) Trojan:
Screenshot of Cobalt Strike Trojan memory detection:
Screenshot of Sliver Trojan memory detection:
Screenshot of Havoc Trojan memory detection:
Legal Signature Abuse Activity
Based on the TianQing "Liuhe" advanced threat engine alert, we discovered that after the installation package with a legitimate digital signature was running, the Silver Fox (Gh0st) Trojan's characteristics appeared in the memory. We then traced the source and found the upper-level counterfeit website as follows:
The downloaded malicious installation package has a legitimate digital signature:
Black market and APT groups use domestic digital signatures on Trojans through proxy signing services. We understand that the fee for a single signature ranges from 20,000 to 50,000 yuan, making this a black market with higher profit margins than cyberattacks. The digital signatures involved are:
Xi'an Vanci Electronic Technology Co., Ltd.
The malicious logic is a loader that reads the released file and decrypts it :
After decryption, the Silver Fox ( Gh0st) Trojan is injected into the explorer.exe process.
The loaders and injectors involved in this case are both common weapons used by current black industries and low- to medium-level APT groups. The Liuhe Engine can implement full-process monitoring and memory detection . When the Liuhe Engine detects the Silver Fox feature in the explorer.exe system process, it will directly read the C2 from the memory and display it to the user for subsequent investigation and notification.
The attacker subsequently released a set of white and black components, in which the black DLL had another legitimate signature. This also triggered an alert from the Liuhe Advanced Threat Engine and was discovered by us :
Digital Signature:
Capybara Technology Ltd
Summarize
At present, the full range of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform (TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situational Awareness, etc., already support accurate detection of such attacks.
IOC
FileHash-MD5 :
8e26e076308f8294ccfabc9aee3a6511
fcdd97426794cd57ab413f8ebbba4d4d
C2 :
ksdcks3.org
Reference Links
[1] https://mp.weixin.qq.com/s/31MvIg9wwAcoRFUhBnej3g