Hey friends,
Key Takeaways
- Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity.
- The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran.
- The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions.
- The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.
Case Summary
The DFIR Report’s Threat Intel Team detected an open directory in January 2024 and analyzed it for trade craft and threat actor activity. Once reviewed, we identified it was related to the Chinese speaking hacking group that call themselves “You Dun”.
The threat actor conducted various activities using the host we investigated which included reconnaissance and web exploitation activities. Using tools such as WebLogicScan, Vulmap, and Xray, they were able to identify numerous vulnerable servers. They exploited several websites running Zhiyuan OA software and used SQLmap to conduct SQL injection.
We found evidence of several successful exploitation attempts. After gaining access we found use of further tools to try and use various exploits to elevate privileges on the compromised hosts, including the use of traitor for Linux privilege escalation exploits and CDK for docker and kubernetes privilege escalation.
Both Cobalt Strike and Viper framework files were visible in the open directory. A zip archive that contained the files for a Cobalt Strike team server, included the plugins TaoWu and Ladon which extend the capabilities of the framework greatly. The DFIR Report Threat Intel Team tracked the server as hosting active command and control from January 18th through Feburary 10th of 2024. Using data from the leaked server we identified a cluster of eight IP address’s all being used to proxy the command and control for the same threat actor and active for the same time frame.
The threat actor also utilized the leaked LockBit 3 ransomware builder to create a custom binary LB3.exe. The ransom note the LockBit binary produced provided the contact details as a Telegram group “You_Dun” administrated by “EVA”. The group responsible also use the name “Dark Cloud Shield Technical Team”. This group appears to be involved in selling “penetration testing” according to their channels, but also engaged in illicit data sales, DDOS, and based on the LockBit binary, also use ransomware to earn a payday.
If you would like to get an email when we publish a new report, please subscribe here.
Analysts
Analysis and reporting completed by @pcsc0ut and @svch0st.
Capability
Reconnaissance
WebLogicScan
The threat actor use WebLogicScan, a python script that scans for vulnerabilities in WebLogic.
Based on bash history, they ran the tool by supplying various text files to the script.
Vulmap
The threat actor used vulmap.py to also scan for WebLogic vulnerabilities by providing several lists of their targets.
Bash history excerpts:
Below is the help options detailing the “-a” switch that defines what application is being targeted.
Xray
The threat actor scanned for vulnerabilities more broadly with the tool Xray for vulnerabilities against two Chinese websites.
Bash history excerpts:
dirsearch
The threat actor used dirsearch to attempt to scan for URL paths against their targets. A log of one of their scans still remained:
Initial Access
Sqlmap
The threat actor used sqlmap to compromise various websites:
Below is one of the many commands the threat actor ran to dump tables from a Pharmaceutical organization in South Korea:
Seeyon_exp
The script seeyon_exp was used to upload JSPX web sells to several sites by exploiting a component in the software Zhiyuan OA.
The results that were left behind by the threat actor provided evidence of the web shells from the successful exploitation:
Translated we can see the confirmation of what was successful with each target.
Weaver
Another tool weaver was also used to scan for vulnerabilities and exploit Zhiyuan OA instances.
Command and Control
Cobalt Strike (S0154)
The bash history included a nohup command to run a Cobalt Strike server with the following password and account details:
The IP 116.212.120.32 exposed the following beacon configuration, most notably a cracked watermark of 987654321:
Cobalt Strike Beacon:
x86:
beacon_type: HTTP
dns-beacon.strategy_fail_seconds: -1
dns-beacon.strategy_fail_x: -1
dns-beacon.strategy_rotate_seconds: -1
http-get.client:
Cookie
http-get.uri: 116.212.120.32,/IE9CompatViewList.xml
http-get.verb: GET
http-post.client:
Content-Type: application/octet-stream
id
http-post.uri: /submit.php
http-post.verb: POST
maxgetsize: 1048576
port: 80
post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe
post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe
process-inject.execute:
CreateThread
SetThreadContext
CreateRemoteThread
RtlCreateUserThread
process-inject.startrwx: 64
process-inject.stub: e43a1b63f09794f74d90a9889f7acb77
process-inject.userwx: 64
proxy.behavior: 2 (Use IE settings)
server.publickey_md5: a490a5e2db1fcc496e6b793a8ea02a19
sleeptime: 60000
useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; BOIE9;ENUS)
uses_cookies: 1
watermark: 987654321
x64:
beacon_type: HTTP
dns-beacon.strategy_fail_seconds: -1
dns-beacon.strategy_fail_x: -1
dns-beacon.strategy_rotate_seconds: -1
http-get.client:
Cookie
http-get.uri: 116.212.120.32,/visit.js
http-get.verb: GET
http-post.client:
Content-Type: application/octet-stream
id
http-post.uri: /submit.php
http-post.verb: POST
maxgetsize: 1048576
port: 80
post-ex.spawnto_x64: %windir%\sysnative\rundll32.exe
post-ex.spawnto_x86: %windir%\syswow64\rundll32.exe
process-inject.execute:
CreateThread
SetThreadContext
CreateRemoteThread
RtlCreateUserThread
process-inject.startrwx: 64
process-inject.stub: e43a1b63f09794f74d90a9889f7acb77
process-inject.userwx: 64
proxy.behavior: 2 (Use IE settings)
server.publickey_md5: a490a5e2db1fcc496e6b793a8ea02a19
sleeptime: 60000
useragent_header: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
uses_cookies: 1
watermark: 987654321
The threat actor left behind the file 红队版.zip in the root of the open directory.
The zip contained a Cobalt Strike kit which was also the same that was extracted to the root of the open directory.
The aggressor script CrossC2-GithubBot-2023-03-27.cna was sourced from this repo.
The other major modules as part of this Cobalt Strike kit are TaoWu and Landon which extends Cobalt Strike’s capabilities.
TaoWu
The TaoWu aggressor script includes tooling and scripts that adds to Cobalt Strike actions.
It includes a huge number of precompiled binaries in the path taowu-cobalt-strike-master\script :
Ladon
The Ladon plugin for Cobalt Strike is a framework that allows for lots of automation of intrusion activity.
The documentation (https://mp.weixin.qq.com/s/GQBXCX1fiSLi6gKY3M-JcA) includes screenshots such as:
Viper
Viper is a command and control tool used for post exploitation activity. It is one of the C2 frameworks tracked by the DFIR Report Threat Intelligence group. According to the GitHub profile:
It was installed through the execution of the f8x script, which installs docker dependencies and a mostly pre-configured docker image:
The threat actor was asked to provide a password upon initial install, and reused the password that was configured for the Cobalt Strike team server:
The Viper C2 management panel was observed listening on the default tcp port 60000, and using the default SSL certificates provided with the docker image. A pivot on the default SSL certificate in Censys shows a much broader network of this VIPER docker image publicly exposed on the Internet.
Censys Search:
services.tls.certificates.leaf_data.fingerprint: 4de3278507c89d2242a12c20b74878e3f84970c463a924771f156a3da7d7b5a1 or services.tls.certificates.chain.fingerprint: 4de3278507c89d2242a12c20b74878e3f84970c463a924771f156a3da7d7b5a1
The threat actor was observed using the Viper C2 for post exploitation on a AWS host running a Bitnami WordPress app. After initial access was gained, the vipermsf (Metasploit) backend was utilized to run a one-line command to upload and execute a file:
The ONE-LINE-CMD pattern matches the format utilized in the Viper MSF Web Delivery API found in Github:
Information gathered from the Redis RDB dump file using (https://github.com/sripathikrishnan/redis-rdb-tools ) shows that the execution was successful, and the threat actor was able to achieve execution of the payload (recovered from the host info module):
Due to the location of the payload being written to disk matching POC exploit code ( https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-25003.yaml ) , we assess with high confidence that initial access was gained through a WordPress plugin WPCargo exploit, specifically, the Remote Code execution vulnerability CVE-2021-25003.
Privilege Escalation
The reverse shell created by the payload appeared to be used to run a docker container exploit using a tool called CDK.
The mount-cgroup is a module that utilizes a docker container escape exploit documented by @_fel1x:
Additional follow-on activity showed the threat actor uploading an additional file using a VIPER agent used for privilege escalation:
traitor-amd64 upload completed
Traitor is a tool that includes several privilege escalation exploits for Linux:
Impact
The threat actor had a copy of LockBit ransomware in the directory .local\LB3.exe and in the bash history of the host there were two RAR files they had deleted:
While the archives no longer existed for us to analyze, we assess with moderate confidence that these were copies of the previously leaked LockBit Black ransomware builder.
Triage Sandbox run screenshot of .local\LB3.exe:
Ransom note presented after executing the LB3.exe binary:
When analyzing the left behind LB3.exe binary, the following ransomware note is created upon execution:
The telegram channel mentioned is hXXps://t.me/You_Dun. Further analysis of this group is discussed in the Adversary section.
Victims
Countries
- South Korea
- China
- Thailand
- Taiwan
- Iran
As part of reconnaissance activities, the threat actor left their target URL lists they used for several tools which were separated by country:
- ./vulmap/kk.txt – Korean IPs and Domains
- ./vulmap/kr.txt – Korean IPs and Domains
- ./vulmap/hh.txt – Various Countries IPs and Domains
- ./vulmap/wb.txt – Iranian IPs and Domains
- ./vulmap/ww.txt – Iranian IPs and Domains
- ./weaver_exp/uu.txt – Chinese IPs and Domains
- ./WebLogicScan/target.txt – Iranian IPs and Domains
- ./WebLogicScan/kk.txt – South Korean IPs and Domains
- ./tt.txt – Saved HTTP request to a Thai police website
Of the targeted countries China, South Korea, and Iran were most frequently observed.
Industries
While we note the following industries below, we assess the threat actor was not specifically targeting by industry in this case.
- Government
- Education
- Health
- Logistics
Infrastructure
The open directory we initially investigated had the following attributes:
8000/opendir Server: SimpleHTTP/0.6 Python/3.8.10 28888/mitmproxy SSL Cert Issuer: CN=mitmproxy, O=mitmproxy SSL Cert Subject: CN=163.53.216.157 JA3S: 15af977ce25de452b96affa2addb1036 55918/SSH Fingerprint SHA256: 1192d660e36e9b6f671a22a1ed1adb50f752ca986885ecfffdbbf3967e8ff9c1 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.11 60000/Viper SSL Cert Issuer: C=CN, ST=0d72da0c, L=0d72da0c, O=0d72da0c, OU=0d72da0c, CN=0d72da0c SSL Cert Subject: C=CN, ST=d1d38ec9, L=d1d38ec9, O=d1d38ec9, OU=d1d38ec9, CN=d1d38ec9 JA3S: 475c9302dc42b2751db9edcac3b74891
The opendir had the following in the root directory:
When searching in Censys for further hosts with the same SSH Fingerprint, there were eight results all with similar open services.
services.ssh.server_host_key.fingerprint_sha256: 1192d660e36e9b6f671a22a1ed1adb50f752ca986885ecfffdbbf3967e8ff9c1
Based on the fingerprints of these servers and shared opendir content, we assess the following IP’s were used to proxy the threat actor’s back end infrastructure at various points in time:
43.228.89.245 43.228.89.246 43.228.89.247 43.228.89.248 103.228.108.247 115.126.107.244 116.212.120.32 163.53.216.157
All of the IP addresses were associated with the same ISP, Forewin Telecom Group Limited. While we did not have access to the entire system, we did find ‘.viminfo’ register artifacts which suggest these IP’s were specifically added through VIM to a file on the device:
When reviewing the Viper access logs, the initial service was listening on the domain fgfg.bcfnwg.cc:60000 . This domain was registered with NameSilo on 2023-02-07T16:16:06Z:
Based on the access and usage of Viper in the access.log of the server, we identified 101.36.124.183 as the IP address the threat actor was using at the time.
When pivoting on that IP, it appears to be a proxy.
f8x
f8x is a setup script that the The DFIRReport has observed on various threat actor controlled infrastructure. It is used to automate the setup of infrastructure by installing security tooling and dependencies.
In this case the threat actor simply curl-ed the script from f8x.io and executed it with the -all and -viper switch
curl -o f8x https://f8x.io/ chmod +X f8x bash f8x -all bash f8x -viper
According to the GitHub documentation, there are several other options that can be supplied such as:
Adversary
Based on the tooling and evidence available, the threat actor is Chinese speaking.
The telegram channel mentioned in the modified ransom note is hXXps://t.me/You_Dun which was created on 09 January 2024 (since been deleted):
Just as many other threat actors claim to be innocent “pentesters”, this group is no different:
Reviewing their telegram channel, they post their various escapades such as defacements and data leaks.
The administrator of this group as seen above goes by “EVA” and the telegram tag @YD099 (ID: 6392878812)
Further analysis of the telegram group mentioned 2 more related groups related hxxps://t.me/You_Dun:
- hxxps://t.me/You_Dun888
- hxxps://t.me/juxingchuhai
You_Dun888 is a group channel that claims to provide various services including penetration testing, selling data, DDOS and more.
Proofs of defacements and compromises also are present in the You_Dun888 group going by the name “Dark Cloud Shield”.
The Telegram channel @xuanshang posted advertisement to their chat which included similar wording as the other channel’s bios and a link to You_Dun777 (since been deleted).
Diamond Model
