Analysis of the Large-scale Attack Activities Launched by the “Swimming Snake” Cybercrime Gang against Domestic Users

The original report is in Chinese, and this version is an AI-translated edition.

1.Overview of the gang

The “Swimming Snake” criminal gang has been active since the second half of 2022 and launched a large number of attacks against domestic users. The gang spread malicious programs through various means such as phishing emails, fake electronic bill download sites, fake application download sites, and social networking software, etc. After the malicious programs are deployed, they obtain multiple payload files from the attacker’s server and use the “white plus black” method to load malicious payloads by leveraging NetSarang series tools, Tencent game-related programs, etc. They create scheduled tasks using COM components and release and execute the Gh0st remote control Trojan variant after multiple layers of decoding. This criminal gang spreads malicious programs through various channels, launching a large number of attacks against domestic users within a short period of time, and frequently changing server addresses. The downloaded payload files have all been obfuscated to evade the detection of security products. Therefore, Antiy CERT named it “Swimming Snake”.

Table 1-1 Overview of the criminal gang 

Overview of the gangDescription
Name of the gangSwimming Snakes
Main modes of transmissionPhishing mail, fake electronic bill download site, fake application download site, social software
Time of occurrence and active timeActive since the second half of 2022
The targeting systemWindows
Main Technical FeaturesUsing malicious downloader to obtain a payload file; The malicious load is loaded by means of “white plus black.” Obtaining the C2 address by using the downloaded configuration file; Remote control by using the variant of Gh0st remote control Trojan.
InfrastructureMalicious payload files are often hosted in directories such as “picuress / 2022,” “picuress / 2023,” “images” in their servers, and the frequency of changing server addresses is high.

Based on experience, the email protection module of Antiy Endpoint Detection and Response System (Antiyi EDR) can accurately identify phishing emails in this event; Antiy IEP can effectively detect and eliminate malicious software such as malicious downloaders and remote control Trojans.

2.Technical sorting of the gang

2.1 Mode of transmission

This criminal gang has recently been frequently spreading malicious programs through phishing emails. The subject lines of these emails are usually related to electronic invoices. The content of the phishing emails is as follows:

您于xxxx年x月x日开具的充值电子发票,票据信息如下: 开票日期:[日期] 发票金额:[金额] 发票代码:[代码] 发票号码:[号码] 发票明细

“The invoice details” is a hyperlink that leads to a fake electronic invoice download site created by the attacker. The compressed file provided for download on this website contains malicious programs.

Figure 2-1 A counterfeit bill download site

In addition, this criminal gang also spreads malicious programs through various means such as fake application download sites and social software. After obtaining control of the victim’s host, they further conduct remote control over the host, impersonate the victim and use social software to send the malicious program, thereby enabling the malicious program to spread more widely.

Table 2-1 Names of some phishing files

File name
这几笔错误的账单我圈出来了 你看看.zip
交易对接总额详细报表.rar
USDT回款清单.exe
2023年国务院税务总局最新政策计划.zip
下发明细.exe
出入款对接报表.rar
Telegramzh_CN 官方中文语言包.exe
Letsvpnlatest最新vpn客户端电脑版.zip
点击安装简体中文语言包.exe
Telegram_zh_CN.rar1.exe

The gang typically hosted malicious payload files under directories such as “picuress/2022,” “picuress/2023,” “images” in its servers, and changed server addresses more frequently.

Table 2-2: URLs for hosting malicious payloads

URL
Http [:] / frp.freefrp.net / images
Http [:] / / info.0a305ffb2a1d41f6870eac02f9afce89.xyz / images
Http [:] / datacache.cloudservicesdevc.tk / picturess / 2023
Http [:] / imgcache.cloudservicesdevc.tk / picturess / 2023
Http [:] / nbs2012.novadector.xyz / picturess / 2023

2.2 Execution flow of malicious program

The malicious programs deployed by this criminal gang obtain multiple payload files from the attacker’s server. The obtained payload files are mainly divided into two categories, and their loading methods and execution processes are also different.

2.2.1 Type I of the payload file

  1. Execute malicious Shellcode using the update program (tu _ rt.exe) of the NetSarang family of tools;
  2. Using COM components to create scheduled tasks masquerading as related services of applications such as Xunlei, in order to implement persistence mechanism;
  3. After multiple layers of decoding, the Gh0st remote control Trojan variant is released and executed in memory. The content of the downloaded setting.ini file is read to obtain the C2 address, and then a connection is established with the C2 address to remotely control the victim host.

2.2.2  Type II of the payload file

  1. The malicious program decodes the instruction to merge the two downloaded payload files into TASLoginBase.dll.
  2. Execute TASLoginBase.dll by using Tencent game related program (TASLogin.exe);
  3. After multiple layers of decoding, the Gh0st remote control Trojan variant is released and executed in memory. The content of the downloaded setting.ini file is read to obtain the C2 address, and then a connection is established with the C2 address to remotely control the victim host.

3.Sample analysis

3.1 Type I of the payload file

After the sample program runs, the DLL file is retrieved from the C2 server and loaded into memory for execution. The DLL file then downloads multiple payload files from the specified URL and executes the 25638. exe program.

Table 3-1 List of downloaded files

File nameFunctions
%ProgramData%\setting.iniSave the address of the C2 server
%ProgramFiles(x86)%\25638\25638.exeUpdate Program for Series Tools of NetSarang Company
%ProgramFiles(x86)%\25638\25638.datThe attacker adds malicious Shellcode in the file “_ TUProj. dat,” and executes malicious Shellcode using “white plus black.
%ProgramFiles(x86)%\25638\Media.xmlThe DLL file that lost its header, used to create the scheduled task
%ProgramFiles(x86)%\svchost\svchost.exeIdentical program to 25638. exe
%ProgramFiles(x86)%\svchost\svchost.datIdentical file to 25638. dat
%ProgramFiles(x86)%\svchost\Media.xmlThe DLL file that lost its header, used to decode update.log
%ProgramFiles(x86)%\svchost\update.logAfter multi-layer decoding, the final payload is obtained

25638.exe (originally named tu_rt.exe) is an update program for the series of tools of NetSarang Company. It has a normal digital signature. After running, it will use the built-in password to parse the dat file with the same name in the same directory, and execute the “_TUProj.dat” file within it. Attackers take advantage of this feature, adding malicious code to the “_TUProj.dat” file and using the white-on-black technique to execute the malicious Shellcode.

Figure 3-1 Execution of a malicious Shellcode

After the malicious Shellcode is executed, it reads the content of the Media.xml file in the same directory. It then restores the file header to that of a DLL file and loads it into memory for execution. The Media.xml files in the 25638 folder and the svchost folder are two different payload files. The former, after restoration, uses a COM component to create a scheduled task and disguises itself as a related service of Thunder; the latter, after restoration, reads the update.log file in the same directory, and after multiple layers of decoding, ultimately executes the Gh0st remote control Trojan variant.

Figure 3-2 Creating a scheduled task using the COM component

3.2 Type II of the payload file

Some other malicious programs released by this gang will download another set of payload files.Table 3-2 List of downloaded files

File nameFunctions
%ProgramData%\setting.iniSave the address of the C2 server
%Public%\Documents\update.lnkShortcut to execute dllhosts.exe
%Public%\Documents\dllhosts.exeTencent Game Related Programs
%Public%\Documents\MZ.txtAfter merging, it becomes a malicious TASLoginBase.dll file, and the malicious DLL is executed by using “white plus black.
%Public%\Documents\TAS.txt
%Public%\Documents\update.logAfter multi-layer decoding, the final payload is obtained

The malicious program decodes the instructions to merge the MZ.txt and TAS.txt files into the TASLoginBase.dll file. It then executes the dllhosts.exe program using the update.lnk shortcut. The original name of this program is TASLogin.exe and it has a digital signature, making it a normal program. The attacker loads the malicious TASLoginBase.dll file from the same directory using the “white plus black” method, reads the update.log file, and ultimately executes the Gh0st remote control Trojan variant.

Figure 3-3 Loads a malicious DLL file in the “white plus black” mode

3.3 Read the configuration file to get the C2 address

The Gh0st remote control Trojan variant used by the gang obtains the C2 address according to the downloaded% ProgramData%\ setting.ini file, so as to remote control the victim host.

Figure 3-4 Read the setting.ini file to get the C2 address

4.Recommendations for protection

In order to effectively prevent such attacks and enhance the level of security protection, Antiy recommends the following protective measures to be taken by government and business organizations:

4.1 Identify phishing mail

  1. Check the sender of the email: Be vigilant of emails sent by non-affiliated organizations with the same subject.
  2. Check the recipient’s address: Be cautious of mass emails. Contact the sender for confirmation.
  3. Check the sending time: Be vigilant of emails sent outside working hours.
  4. Check the email subject: Be cautious of emails with keywords such as “order”, “bill”, “wage subsidy”, “purchase” in the subject.
  5. Check the wording of the body: Be vigilant of emails with overly general greetings such as “Dear”, “Dear User”, “Dear Colleague”.
  6. Check the purpose of the body: Be cautious of emails asking for email account and password under the pretext of “system upgrade”, “system maintenance”, “security settings”.
  7. Check the content of the body: Be vigilant of web links attached, especially short links.
  8. Check the content of the attachment: Before viewing, use anti-virus software to scan and detect viruses in the attachment.

4.2 Protection of website dissemination

  1. It is recommended to use the genuine software downloaded from the official website. If there is no official website, it is suggested to download from a trusted source, and scan it with anti-virus software after downloading;
  2. It is recommended to use the sandbox environment to execute suspicious files, and then use the host computer to execute the files with security. Based on the combination of deep static analysis and dynamic loading of sandbox, Antiy PTA can effectively detect, analyze and identify all kinds of known and unknown threats.

4.3 Government, enterprise and institutional protection

  1. Install the endpoint protection software: Install the anti-virus software, and it is recommended to install the Antiy IEP;
  2. Strengthen password strength: Avoid using weak passwords, and recommend using 16-digit or longer passwords, including combinations of upper and lower case letters, numbers and symbols, and avoid using the same password for multiple servers;
  3. Deployment of Intrusion Detection System (IDS): Deployment of traffic monitoring software or equipment to facilitate the discovery, tracing and tracking of malware. Taking network traffic as the detection and analysis object, Antiy PTD can accurately detect a mass of known malware and network attack activities, and effectively detect suspicious behaviors, assets and various unknown threats on the network;
  4. Security service: In case of malware attack, it is suggested to isolate the attacked host in time, and protect the site and wait for the security engineer to check the computer; 7 * 24 service hotline: 400-840-9234.

Based on experience, the email protection module of Antiy Endpoint Detection and Response System (Antiyi EDR) can accurately identify this phishing email; the Antiy IEP can effectively detect and eliminate malicious downloaders and remote control Trojans and other malicious software, as well as provide practical protection for the user’s terminal.

Figure 4-1 The EDR email protection module of Antiy IEP accurately identifies the phishing email – The Client

Figure 4-2 The EDR email protection module of Antiy IEP accurately identifies the phishing email – Server

Figure 4-3 The effective protection of the user system implemented by Antiy IEP

5.ATT&CK Mapping graph of the event

For the attacker to deliver the complete process of secret Trojan, Antiy combing the attack event corresponding to the ATT&CK mapping graph shown in the following figure.

Figure 5-1 Mapping of Technical Features to ATT&CK

The technology points used by the attacker are shown in the table below.

Table 5-1 Description of ATT&CK technical behavior corresponding to the event  

ATT&CK stages / categoriesSpecific behaviorNotes
Resource developmentAccess to infrastructureGets the C2 server
Environmental preparationManaged malicious payload
ExecutionUsing command and script interpretersExecute a program using commands and script files
Inducing the user to executeUse the phishing file to induce the user to execute
PersistenceUtilization of planned tasks / jobsCreate a scheduled task using a COM component
Defensive evasionAnti-obfuscate / decode files or informationDecode payload information
Remove beaconsDelete the downloaded payload file
CounterfeitImpersonating other applications
Confusion of documents or informationMix up load information
Implement using a trusted development tool“White plus black” mode to load malicious payload
FindingsDiscover the application windowDiscover the application window
Find files and directoriesFind files and directories
Discovery ProcessTraversal to find the security product process
Query the registryQuery the registry
Discovery system network configurationDiscovery system network configuration
Discover the system network connectionDiscover the system network connection
Discovery of system servicesDiscovery of system services
System discovery timeSystem discovery time
CollectionTo compress / encrypt the collected dataEncrypt the collected data
Automatic collectionAutomatic collection of host information
Collect local system dataCollect local system data
Temporary storage of dataTemporary storage of data
Command and controlEncoded dataEncoded data
Standard non-application layer protocols are usedUse the TCP protocol
Data seeps outAutomatically seeps out dataAutomatically seeps out data
The C2 channel is used for backtransmissionThe C2 channel is used for backtransmission
ImpactDamage dataDelete the specified data
Manipulation of dataManipulation of data
Tampering with the visible contentTampering with the visible content
System shutdown / restartSystem shutdown / restart

6.IoCs

IoCs
Fac6a0419c8288b58b1edb0bf6e017b8
9dbe476cafd45cc08ae2b1e6e5ed1739
9050ac019b4c8dddbc5e250bb87cf9f2
4ae5e8bdd68861df10f01fe268859588
3668799602e1e5b94bf893141b4b76e6
Aabd7d9de6c3c6fc4f639b8d664ae87c
8c4862a32095d0b71fcf8fb0b244161a
E22b83f968d67ec368d899246ff8cab7
6655b2bd93e70a2804e983b279ab473
Ac6ad5d9b99757c3a878f2d275ace198
B1b63759909a89f90f90f736cb35f188747
Efbb79c0088e0f0e41d42becbcf2ca87
8305b3aaa33fb9ca2e07e165b2030a33
Http [:] / frp.freefrp.net / images
Http [:] / / info.0a305ffb2a1d41f6870eac02f9afce89.xyz / images
Http [:] / datacache.cloudservicesdevc.tk / picturess / 2023
Http [:] / imgcache.cloudservicesdevc.tk / picturess / 2023
Http [:] / nbs2012.novadector.xyz / picturess / 2023
Http [:] / / luthj.sbs / home.html
Http [:] / swqe.sbs / home.html
Http [:] / / ajvloi.com / home.html
Http [:] / / mrty.sbs / home.html
Http [:] / iyhf.sbs / home.html
Http [:] / bhre.sbs / home.html
Http [:] / iyhf.sbs / home.html
Https [:] / / klianvpn.xyz
Http [:] / www.cuoso.vip
61.160.221.100
154.13.6.172
43.154.83.246
123.99.198.123
154.39.239.48
45.204.2.166

Appendix: About Antiy

Antiy is committed to enhancing the network security defense capabilities of its customers and effectively responding to security threats. Through more than 20 years of independent research and development, Antiy has developed technological leadership in areas such as threat detection engines, advanced threat countermeasures, and large-scale threat automation analysis.

Antiy has developed IEP (Intelligent Endpoint Protection System) security product family for PC, server and other system environments, as well as UWP (Unified Workload Protect) security products for cloud hosts, container and other system environments, providing system security capabilities including endpoint antivirus, endpoint protection (EPP), endpoint detection and response (EDR), and Cloud Workload Protection Platform (CWPP) , etc. Antiy has established a closed-loop product system of threat countermeasures based on its threat intelligence and threat detection capabilities, achieving perception, retardation, blocking and presentation of the advanced threats through products such as the Persistent Threat Detection System (PTD), Persistent Threat Analysis System (PTA), Attack Capture System (ACS), and TDS. For web and business security scenarios, Antiy has launched the PTF Next-generation Web Application and API Protection System (WAAP) and SCS Code Security Detection System to help customers shift their security capabilities to the left in the DevOps process. At the same time, it has developed four major kinds of security service: network attack and defense logic deduction, in-depth threat hunting, security threat inspection, and regular security operations. Through the Threat Confrontation Operation Platform (XDR), multiple security products and services are integrated to effectively support the upgrade of comprehensive threat confrontation capabilities.

Antiy provides comprehensive security solutions for clients with high security requirements, including network and information authorities, military forces, ministries, confidential industries, and critical information infrastructure. Antiy has participated in the security work of major national political and social events since 2005 and has won honors such as the Outstanding Contribution Award and Advanced Security Group. Since 2015, Antiy’s products and services have provided security support for major spaceflight missions including manned spaceflight, lunar exploration, and space station docking, as well as significant missions such as the maiden flight of large aircraft, escort of main force ships, and Antarctic scientific research. We have received several thank-you letters from relevant departments.

Antiy is a core enabler of the global fundamental security supply chain. Nearly a hundred of the world’s leading security and IT enterprises have chosen Antiy as their partner of detection capability. At present, Antiy’s threat detection engine provides security detection capabilities for over 1.3 million network devices and over 3 billion smart terminal devices worldwide, which has become a “national-level” engine. As of now, Antiy has filed 1,877 patents in the field of cybersecurity and obtained 936 patents. It has been awarded the title of National Intellectual Property Advantage Enterprise and the 17th (2015) China Patent Excellence Award.

Antiy is an important enterprise node in China emergency response system and has provided early warning and comprehensive emergency response in major security threats and virus outbreaks such as “Code Red”, “Dvldr”, “Heartbleed”, “Bash Shellcode” and “WannaCry”. Antiy conducts continuous monitoring and in-depth analysis against dozens of advanced cyberspce threat actors (APT groups) such as “Equation”, “White Elephant”, “Lotus” and “Greenspot” and their attack actions, assisting customers to form effective protection when the enemy situation is accurately predicted.