Overview
In May 2022, Qi'anxin Threat Intelligence Center published an article titled "Operation Dragon Breath (APT-Q-27): A Dimensionality Reduction Attack on the Gambling Industry" , disclosing the attack activities of GoldenEyeDog (Qi'anxin internal tracking number APT-Q-27) against the gambling industry , and at the end of the article introduced the Miuuti Group —— an attack group targeting the gambling industry with a complex personnel composition and strong mobility. It may overlap with known groups and has used multiple communication software 0day vulnerabilities from 2015 to the present. The article " Operation Dragon Dance : The Sword of Damocles Hanging over the Gambling Industry" discussed the details of two 0day vulnerabilities used by GoldenEyeDog and a complete attack incident analysis.
The business scope of GoldenEyeDog covers remote control, mining, DDOS and traffic-related. Based on the mapping analysis of Qi'anxin Threat Radar , GoldenEyeDog has been one of the groups with the highest frequency of attacks on China since 2022. This article will introduce the GoldenEyeDog samples and attack methods captured in recent years , and discuss the common attack methods and sample evolution of GoldenEyeDog .
Attack Method
The GoldenEyeDog gang has repeatedly used watering hole websites to host malware installation packages and implant Trojans into victims' devices. They have used languages such as .NET, C++, Go, and Delphi to develop malware, and the overall anti-killing level of attack samples is relatively high.
GoldenEyeDog deploys fake software download websites and uses various methods to trick victims into downloading and installing its malicious programs. The main targets are the gaming industry and related personnel. Since its counterfeit websites use SEO optimization and are quite realistic, anyone who searches for specific counterfeit software may download disguised malicious installation packages. Therefore, GoldenEyeDog's attacks have a very wide impact. Domestic targets include Internet companies, securities, manufacturing, IT and other industries. Recently, we have found that GoldenEyeDog has begun to frequently use emerging remote control Trojans such as SilverFox and winos as its remote control means.
The attack process of the GoldenEyeDog is shown in the figure below:
Popular counterfeit software commonly used by the GoldenEyeDog gang include:
- Telegram Chinese version installation package
- Fast VPN
- Potato social software
- W PS Office Software
- Sogou Input Method
- Opera browser
- Chrome browser
- Tor
- Aisi Assistant
- Team Viewer
- ToDesk
- Shuttle VPN
- FastSail VPN
- Feilian VPN
- v2rayN
- Love Acceleration
- TradingView Investment Software
- Cyclone converter, etc.
At the same time, the gang also launched counterfeit websites of multiple virtual currency trading platforms, including MEXC cryptocurrency exchange, OKX digital currency exchange, and Gate Sesame, targeting cryptocurrency practitioners.
In addition to obtaining malicious programs directly from the watering hole website directory, it was also discovered that different watering holes shared malicious domain names as public servers. Attackers used program names or irregular codes to distinguish the corresponding malicious programs. After the malicious server identified the different codes, it jumped to the corresponding cloud storage server link for downloading.
Mode of transmission
Search Engine SEO
After writing the watering hole page, GoldenEyeDog optimized it through Yoast SEO to improve its ranking in search engines, and tricked victims into downloading and installing malicious installation programs. Currently, many of the group's watering holes are ranked high. For example, its WPS watering hole website ranks second on Google search engine:
Gambling websites post black pages or place advertisements
It was also discovered that the gang had placed links to its watering hole websites on multiple gambling websites:
Spread the download site through question-and-answer platforms, forums, etc.
Sample Analysis
The following is an analysis of several typical samples related to this incident.
Chinese version of Telegram
Sample Source
This sample is the latest sample from the watering hole website www.telegramkx.com . It is consistent with the Trojan operation process used by the GoldenEyeDog group that we found before:
Basic Information
| - | - | - |
|---|---|---|
| File Name | File Size | File MD5 |
| ChineseTG_Z_HB_TELE_DESKTOP | 77273108 bytes | 27889662C62E84E3D4400B372379C1C9 |
The Trojan is disguised as the Chinese version of Telegram installer:
Trojan execution details
1. This sample is an exe installation package generated by Setup Factory Runtime. When running, it will release a Chinese TG program with a signature . The signature information is as follows:
EXE program disguised as a flash component will be created and run in the background:
2. The main function of lpxs.exe is to decrypt the malicious DLL and execute it. Its decryption algorithm is similar to the Trojan algorithm used by GoldenEyeDog:
After decryption, call the export function of the malicious DLL :
3. The HDPX export function includes anti-debugging. Its main function is to create and call a script file, and release white + black Trojan programs and an encrypted TXT file at the same time:
BAT script file turns off the UAC prompt through registry settings:
4. The Trojan will then decrypt TXT and release a modified version of Gh0st Trojan, C2 = 154.19.167.161:15628 :
Aisi Assistant
Sample source
This sample is the latest sample from the watering hole website i4.com.vn. After analysis, it is found to be a SilverFox family Trojan, which eventually releases Gh0st to achieve remote control:
Basic Information
| - | - | - |
|---|---|---|
| File Name | File Size | File MD5 |
| i4Tools8_v8.29_Setup | 273814143 bytes | FBA8EBBFB1D526736498650DA0656AA9 |
The Trojan is disguised as the installer of Aisi Assistant and is packaged using the Inno Setup tool:
Trojan execution details
1. This sample will release the normal Aisi Assistant installation program, in addition to the white + black Trojan program:
The white exploit is a company's "Printer Guardian" related files:
2. The black DLL detects the debugger and exits directly without triggering malicious behavior:
Decrypts its own hardcoded shellcode and its parameters through XOR, and calls the ZwCreateThreadEx function process injection:
3. The shellcode decrypts the incoming binary data by XOR, obtains the DLL and calls the export function:
4. The main function of this DLL is to prevent debugging and monitor 360 Security Guard. After the monitoring is completed, it will release the next stage of white + black program and a .dat suffix shellcode file. During the process, the Trojan will first release the program to the Windows temporary directory, and then rename it through the pipeline using the CMD command and move it to the root directory of the C drive :
5. The next stage of the DLL process first adds the directories 'C:\Program Files (x86)' and 'C:\' to the Windows Defender exclusion list:
Create a mutex " FakeMutex " :
Finally, similar to the Trojan process in the previous stage, the shellcode code in the .dat file is injected:
6. The shellcode will decrypt a UPX- packed DLL file in memory and call its export function, which is a modified version of the Gh0st Trojan, C2 = 38.46.12.82:51163 :
Clash
Sample source
This sample is related to the watering hole website v2raynos.com . After analysis, it is found to be a SilverFox family Trojan, which eventually releases Winos to achieve remote control:
Basic Information
| - | - | - |
|---|---|---|
| File Name | File Size | File MD5 |
| Clash.for.Windows.Setup | 189645312 bytes | 617CD6206A0745CD6AAE92B09F8B4C2A |
The Trojan is disguised as a Clash MSI installation package:
Trojan execution details
1. When the sample is installed , it will release a black DLL and a malicious file with the .log suffix:
2. After releasing the next stage PE file through .log , call its malicious export function, release multiple .lnk files, add the second dick.lnk to the registry to start automatically through the first .lnk , and then start its white + black program through the dick.lnk file:
3. White+Black will release the Winos Trojan through the second Ensup.log . The configuration information included in the sample is as follows:
C2 = 202.146.220.95:6666/ 202.146.220.95:8888/ 202.146.220.95:8080
Mining activities
In this incident, the GoldenEyeDog gang not only deployed remote control Trojans, but also Trojan programs related to mining. The sample information is as follows:
| - | - | - |
|---|---|---|
| File Name | File Size | File MD5 |
| IBusEnum | 5120852 bytes | 42A802F20D8998F19CE8ED5F84A9CD2A |
After analysis, the sample was confirmed to be an XMRig mining Trojan. The Trojan comes with its own configuration file and supports remote updating of configuration information through a hard-coded URL , URL = "http://cdn-down.cdndown.shop/config.json" .
The built-in configuration information is as follows:
The current remote configuration information is as follows:
Summarize
Combining the attack targets mentioned in our previous analysis report and the counterfeit sites forged by GoldenEyeDog, it is not difficult to see that its main attack targets are still related to industries such as gambling and fraud . However, due to the wide distribution of users of various popular software it counterfeits, it is inevitable that there will be victims from other industries.
In fact, through the telemetry perception of Qi'anxin Threat Radar and the APT attack clues based on customer sites by Qi'anxin RedDrip team, combined with the analysis of alarm data from Qi'anxin Threat Intelligence's full range of products , GoldenEyeDog has been one of the groups with the highest frequency of attacks in China since 2022, involving education, Internet, securities, manufacturing, IT software services and many other industries.
At present, the full range of products based on threat intelligence data from Qi'anxin Threat Intelligence Center, including Qi'anxin Threat Intelligence Platform (TIP), TianQing, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, Qi'anxin Situation Awareness, etc., already support accurate detection of such attacks.
Reference Links
[1]. https://mp.weixin.qq.com/s/_oulmr53ZeMFFsVR1esa9A
[2]. https://ti.qianxin.com/blog/articles/operation-dragon-dance-the-sword-of-damocles-hanging-over-the-gaming-industry/
IOCs
Some information about the incident is as follows:
Watering hole domain name:
i4.com.vn
aisizhushou.com
cn-wps.com
fl-vpn.com
cs-vpn.com
transocks-vpn.com
gategw.com
zh-aijiasu.com
ajsvpn.com
zh-potato.com
potato-zh.com
opuaera.com
sogou-shurufa.com
todeskcn.com
todesk-zh.com
v2raynos.com
zh-csvpn.com
zh-mexc.com
chinese-whatsapp.com
apps-whatsapp.com
zhcn-whatsapp.org
downloads-whatsapp.com
windows-whatsapp.com
china-whatsapp.com
telegramca.com
china-telegram.im
www-telegram.org
telegrampw.com
telegramlo.com
telegramqo.com
telegramkx.com
telegramox.com
telegram-apk.com
telegram-desktop.org
qobddze.cn
oeokx.cn
okx-client.cn
zh-okex.cn
zh-gateio.cn
aicoinzh.com
tradingview-en.com
ayicoin.com
aicoims.com
nbxieheng.cn
line-zhcn.com
www-wps.org
Malicious download server:
www.heimao-136.com
www.heimao-134.com
www.heimao-132.com
www.heimao-131.com
zhcn.down-cdn.com
zh.seacdndown.com
cdn-down.cdndown.shop
tlelga929.oss-cn-hongkong.aliyuncs.com
mmm3.oss-cn-hongkong.aliyuncs.com
tgurl.cc
dshjfdf.oss-cn-hongkong.aliyuncs.com
trdgh.oss-cn-hongkong.aliyuncs.com
tgram1025.oss-cn-hongkong.aliyuncs.com
uifdt6.oss-cn-hongkong.aliyuncs.com
oss-kuaisu.oss-cn-hongkong.aliyuncs.com
teleram914.oss-cn-hongkong.aliyuncs.com
assau.oss-ap-southeast-7.aliyuncs.com
downs-hao123.top
38.12.22.84
38.12.20.98
paopaoliaotian.s3.ap-east-1.amazonaws.com
softs-downloads.oss-ap-southeast-1.aliyuncs.com
Mining Pools:
mm.bitbrowser.me:3333
C2 :
titamic.com
simmem.com
golomee.com
guduo.xyz
154.204.0.5:15628
27.124.43.226:15628
206.119.81.142:15628
154.91.64.32:15628
1.32.254.26:15628
154.23.176.47:15628
202.79.174.153:15628
1.32.253.30:15628
45.120.80.106:15628
103.99.63.155:15628
154.19.167.161:15628
143.92.57.75:15628
103.229.60.101:15628
103.97.228.178:15628
103.106.202.99:15628
1.32.249.20:15628
27.124.43.69:15628
27.124.2.12:15628
38.47.233.250:15628
156.248.57.11:15628
137.220.135.149:15628
103.181.134.170:15628
27.124.4.188:15628
8.217.125.184:15628
103.234.73.63:15628
180.215.194.24:15628
143.92.32.50:15628
192.252.181.56:15628
137.220.135.130:15628
154.82.92.35:15628
156.248.57.49:15628
134.122.129.8:15628
45.145.73.105:15628
27.124.7.23:15628
103.107.239.23:15628
1.32.249.143:15628
156.240.106.128:15628
154.84.24.112:15628
144.48.221.176:15628
47.76.148.61:15628
81.31.208.55:15628
8.217.132.138:15628
206.119.80.89:15628
154.204.0.7:15628
27.50.63.40:15628
154.84.23.38:15628
206.238.40.164:2869
103.215.76.136:2869
202.146.220.95:6666
202.146.220.95:8888
38.46.12.82:51163