＃## Overview

"Short, flat and fast" in the field of financial investment usually refers to short-term, low-risk, fast return, so if you apply it in the field of network attacks: fileless shellcode in the system process exists for a short period of time, the vulnerability triggers smooth and low probability of discovery, the stolen files can be quickly transmitted to the hands of the attacker, the Qi'anxin Threat Intelligence Center Red Raindrop team discovered the offshore advanced secret stealing group that perfectly meets the above indicators, and named it UTG-Q-017, affecting a large number of political enterprises.

UTG-Q-017 was first active in August 2024 and has the following mechanics with the help of globally visited adjs intermittently dropping links with Chrome Nday:

1. Full fileless landing: with the help of Chrome Nday's attack chain to inject the first stage of the downloader shellcode into the system memory, and will eventually load the lumma stealer stealing Trojan in the system memory, and retreat after stealing the files.
2. Disposable C2: UTG-Q-017 uses a brand new C2 and domain name every time it is active, but the characteristics of the shellcode downloader are unique to the organization, and in the less than a year it has been active, we have captured nearly 500 IPs of the downloader's shellcode, corresponding to nearly 1,600 domain names, and if we add in the domain names built in by lumma stealer, the full amount of domain names could be around 5,000 to 6,000, and the attacker has invested a huge amount of money for this "short and quick" attack chain. If we add the domain names built into the lumma stealer, the full amount of domain names may be around 5,000 to 6,000, the attacker has invested a huge amount of money for this set of "short and quick" attack chain.
3. Short control time: UTG-Q-017 has a window of only 1-2 days in the use of advertisement delivery exp, which will be active at least once a week, and the malicious code level does not seek long-term control in addition to the realization of the whole process without files. From the time Chrome triggers EXP to the time the lumma stealer finishes stealing data is only 3-5 minutes, the whole process is senseless.

Only ASRock "liuhe" Advanced Threat Prevention Engine has hit more than 100 C2s of UTG-Q-017 in the past year, accounting for a quarter of the group's C2s. Although China is by no means the only victimized area, it must be the hardest-hit area, and we suggest government customers to enable cloud checking to find out the unknown threats. Currently, the "liuhe" advanced threat defense engine can already intercept shellcode in memory:

Infectious Chain

The undocumented attack chain is as follows:

We have analyzed the ad js on fake/porn/normal websites and there are many highly visited ad domains with the following configuration information:

Observe the words "ads by ClickAdilla", ClickAdilla is an offshore ad push service provider.

There are also links to advertisements for sentry, 2eb59608a84d354e409ffc15596042c6 which may be an account registered by the attacker.

We have not traced the EXP js back to which ad interface pushed it, but the domain in question has at least a million visits in China, which is able to cover the scenarios of daily web visits.

It is hypothesized that the attacker bypassed the detection of these ad push service providers, causing the ad platform to push the UTG-Q-017 captcha.js script disguised as a CAPTCHA, causing the Nday EXP to be triggered, and combined with the terminal data statistics of the timeline of the UTG-Q-017 push of the malicious EXP, the time window of the push is only 1-2 days, which makes it difficult to make a traceable discovery:

Goal

When counting the victims, we found an interesting phenomenon, all of the endpoint environments are Chrome (109.0.5414.120)+ Win 7 sp1 (6.1.7601.XXX.1.1), after checking the kernel of version 109.0.5414.120 is the last version of Chrome adapted to Win7, in other words, UTG-Q-017, as a new group active in mid-24, has spent a lot of money to design a "short and quick" chain for the platform that has stopped updating in early 23. In other words, UTG-Q-017, as a newly active organization in the middle of '24, has spent a lot of money to design a "short and quick" attack chain for the Win7 platform, which has stopped updating since the beginning of '23. It may seem like a reversal of history, but what if the attackers knew the "national context"? From the results of this set of attack chain is really only the government and enterprise terminals are controlled, and the attacker can steal the data to afford to invest heavily in infrastructure. Victimized industry statistics are as follows:

Memory state shellcode

The shellcode downloader that is injected into the system process is only 1kb in size, and it is the unique memory downloader of UTG-Q-017, which is functionally divided into two categories: the injection class and the loading class, and the loading class functions as follows:

Getting the two-stage shellcode from a remote server and executing it, the C2 server may have victim checksums, dynamic debugging is difficult to get the two-stage shellcode directly, and injecting the class performs the operation of creating a process and injecting it based on the loaded class:

The second-stage shellcode used Paradise Gate's 32-bit shellcode to adjust 64-bit API during loading, and Skyrocket's "Six Harmonies" Advanced Threat Defense Engine only detected a small amount of lumma stealer being loaded in the memory, and it is not possible to rule out that UTG-Q-017 loaded other unknown backdoors as well. It is not ruled out that UTG-Q-017 also loaded other unknown backdoors.

Lumma stealer is a Maas-based system of stealing software, C2 domains are generally hung on cloudflare CDN, can steal key data such as browser cookies, email credentials, sensitive files, all kinds of client credentials ^[1], after the completion of the theft of the attack cycle is formally ended, and will not carry out the persistence and other sensitive operations.

Summarize

Currently, the full line of products based on the threat intelligence data from the Qi'anxin Threat Intelligence Center, including the Qi'anxin Threat Intelligence Platform (TIP), SkyRock, SkyEye Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness, already support the accurate detection of such attacks.

IOC

Memory shellcode downloader one-time C2 (expired)

hxxp://5.196.171.210/ComplicatingExaminesSupport.jpg

Reference Links

[1]. https://www.cyfirma.com/research/lumma-stealer-tactics-impact-and-defense-strategies/