Threat actors encompass a range of individuals and groups that pose several cybersecurity risks. Their activities and tactics have evolved immensely over time and are primarily aimed at “espionage,” “disruption,” and “financial gain.”
The DFIR Report’s Threat Intel Team recently uncovered Chinese hackers’ toolkit and activity history.
In January-February 2024, researchers uncovered a Chinese hacking group called “You Dun” (aka “Dark Cloud Shield Technical Team”) via an exposed “open directory” that revealed their comprehensive “attack infrastructure.”
The group employed a sophisticated arsenal of reconnaissance tools:-
- WebLogicScan (a Python-based WebLogic vulnerability scanner)
- Vulmap (for broader web vulnerability assessment)
- Xray (for specialized website vulnerability scanning)
- dirsearch (for URL path discovery)
Their primary attack methodology involved exploiting “Zhiyuan OA” software installations via “SQL injection” attacks using “SQLmap,” by targeting South Korean pharmaceutical organizations.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
For post-exploitation activities, they deployed advanced “privilege escalation” tools like ‘traitor’ (for Linux systems) and ‘CDK’ (specifically for “Docker” and “Kubernetes” environments).
The C2 infrastructure of the group operated via eight distinct “IP addresses” functioning as proxies between January 18th and February 10th, 2024 by using both “Cobalt Strike” (enhanced with ‘TaoWu’ and ‘Ladon’ plugins for extended capabilities) and the “Viper” framework for remote access, reads The DFIR report.
In a notable expansion of their illicit activities, the group leveraged the leaked “LockBit 3.0” ransomware builder to create a custom ransomware variant (“LB3.exe”) that directed victims to their Telegram group “You_Dun” managed by an administrator known as “EVA”.
While maintaining a mask of “legitimate penetration testing services,” the group engaged in various malicious activities like “unauthorized data sales,” “DDoS attacks,” and “ransomware operations.”
This shows a sophisticated blend of both “technical expertise” and “criminal enterprise.”
.webp)
Security analysts found that the threat actors used multiple hacking tools in their operation by deploying “Cobalt Strike” (a remote access tool) on IP address “116.212.120.32” using a cracked license key (‘watermark: 987654321’).
The attacker left behind a file named “红队版.zip,” which contained additional attack tools, including TaoWu and Landon (Cobalt Strike extensions for enhanced capabilities).
They then installed a command-and-control (C2) framework called Viper, configured on port 60000 with default SSL certificates, to manage their attack infrastructure.
Using Viper’s built-in Metasploit (vipermsf) functionality, they compromised an Amazon Web Services (AWS) hosted WordPress website through a security vulnerability (CVE-2021-25003) in the WPCargo plugin.
To gain higher-level system access, they used privilege escalation tools:-
- CDK (for escaping Docker container restrictions)
.webp)
- Traitor (containing multiple Linux privilege escalation exploits)
.webp)
Their end goal appeared to be deploying LockBit ransomware (specifically version LB3.exe, linked to the Telegram channel “You_Dun” at hXXps://t.me/You_Dun).
.webp)
The attack campaign targeted organizations across multiple Asian countries like “South Korea,” “China,” “Thailand,” “Taiwan,” and “Iran,” with a particular focus on ‘government,’ ‘education,’ ‘health,’ and ‘logistics sectors.’
.webp)
The attackers operated through proxy servers hosted by “Forewin Telecom Group Limited,” using multiple IP addresses (“43.228.89.245-248,” “103.228.108.247,” 115.126.107.244,” “116.212.120.32,” and “163.53.216.157”) to hide their true location.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!