Analysis of the recent attack activities by the “SwimSnake” black-market group targeting finance personnel and e-commerce customer service

November 27, 2023 By Antiy PTA Team Security Response -

1.Overview

Recently, Antiy CERT has detected a new round of phishing attacks by the “SwimSnake” black-market group (associated with the “Silver Fox” gang), targeting finance personnel and customer service representatives of small businesses on platforms such as Kuaishou, Douyin, WeChat Video Accounts, Xiaohongshu, and others. In this wave of attacks, the group disguises malicious programs as document files, packaging them into compressed files. They propagate these files through a pattern involving the black-market group, intermediaries, recruitment of members, and targeting, ultimately luring users into execution and gaining remote control over the compromised host.
In this recent attack campaign, Antiy CERT has captured two types of .NET malicious programs. The first type of malware is deployed against finance personnel and functions as a loader. After execution, it releases two layers of malicious payloads, ultimately executing the Gh0st remote control trojan. The second type of malware is deployed against customer service representatives of small businesses and is a controlled-end program generated using a certain open-source remote control project.
Antiy CERT, in its “Special Analysis Report on the ‘SwimSnake Game’ Cybercriminal Group”, has revealed the common fraud tactics and monetization methods employed by this black-market group. Currently, the group has narrowed its focus on various finance personnel and e-commerce customer service representatives, carrying out phishing attacks and subsequent fraudulent activities upon successful infection.
Following attacks on finance personnel, the group primarily takes control by having the compromised finance personnel add counterfeit accounts on WeChat. They then impersonate leadership figures to induce the finance personnel to make unauthorized transfers. In the case of attacks on customer service representatives of small businesses and other e-commerce platforms, the group mainly gains control by using customer service WeChat accounts to maliciously create groups and impersonate customer service personnel, engaging in fraudulent activities with their customers.
It has been verified that the Antiy Intelligent Endpoint Protection System (IEP) can effectively detect and eliminate the mentioned remote control trojans.
The Antiy Security Threat Inspection Tool is capable of detecting the “SwimSnake ” trojan, and the ATool System Security Kernel Analysis Tool can identify and remove the “SwimSnake” trojan (refer to Chapters Four and Five for details).

2.Correlation analysis

In this recent wave of attack activities, the “SwimSnake” black-market group has narrowed its focus, primarily targeting various finance personnel and customer service representatives of small businesses on platforms such as Kuaishou, Douyin, WeChat Video Accounts, Xiaohongshu, and others through phishing attacks.

Figure 2.1 Phishing attacks targeted at finance personnel

When targeting customer service representatives of small businesses on platforms like Kuaishou, Douyin, WeChat Video Accounts, Xiaohongshu, the black-market group also includes in their issued tasks a limitation on the sales volume of the target merchant’s store. They determine the success of the infection based on whether the victim’s computer has the management backend for the merchant.

Figure 2.2 Relevant tasks issued by the black-market group.

Combining the insights from the “Special Analysis Report on the ‘SwimSnake’ Cybercriminal Group” and the common fraud tactics outlined, Antiy CERT speculates that after targeting finance personnel, the group primarily gains control by having compromised finance personnel add counterfeit accounts on WeChat. They then impersonate leadership figures to induce the finance personnel to make unauthorized transfers. In the case of attacks on customer service representatives of small businesses and other e-commerce platforms, the group mainly takes control by using customer service WeChat accounts to maliciously create groups and impersonate customer service personnel, engaging in fraudulent activities with their customers.

3.Sample analysis

In this instance, Antiy CERT has captured two malicious programs, both coded in .NET. The first malware, deployed against finance personnel, functions as a malicious loader. Upon execution, it releases two layers of malicious payloads and ultimately executes the Gh0st remote control trojan. The second malware, deployed against customer service representatives of small businesses, is a controlled-end program generated using a certain open-source remote control project.

3.1 The First Malicious Program

This program undergoes obfuscation, where the attacker pre-embeds an encrypted payload into the program’s resources. After execution, the program uses the AES algorithm to decrypt this resource, obtaining Payload 1, and subsequently loads and executes it.

Figure 3.1 Decrypting Payload 1 using the AES algorithm

Following this, the program executes a question-and-answer selection interface written in Thai, designed to confuse users.

Figure 3.2 Questionnaire Interface written in Thai

3.1.1 Payload 1

Payload 1 is coded in .NET and has undergone obfuscation. After execution, it modifies registry entries to disable security notifications, turn off User Account Control (UAC), and adds the path of the malicious program to the Windows Defender exclusion list to evade detection.

Figure 3.3 Evasion Techniques employed by Payload 1

Similarly, Payload 1 uses the AES algorithm to decrypt files within the resources, obtaining Payload 2. It creates a process for C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe and injects Payload 2 into that process.

Figure 3.4 Injecting the decrypted Payload 2 into the jsc.exe process

3.1.2 Payload 2

Payload 2 is coded in VC++ 6.0. After execution, it decrypts the content at file offset 0x804C, writes the decrypted final payload into memory, and executes the exported ***you function within it.

Figure 3.5 Decrypting the final payload and writing it into memory for execution by Payload 2

3.1.3 Final Payload

The final payload is a variant of the Gh0st remote control trojan, equipped with functionalities such as downloading and executing other files, monitoring the clipboard, keylogging, remote control, etc. It employs a specified XOR algorithm for encrypting and decrypting communication messages.

Figure 3.6 Encrypting communication messages using the XOR algorithm

3.2 The Second Malicious Program

The program’s tail contains configuration information such as UID, C2 address, and service name. After execution, it retrieves the current time, reads data from the program’s tail to initialize configuration information, and based on this information, decides whether to install a service, achieve startup on boot, hide files, and create a mutex.

Figure 3.7 Initializing configuration information

Through correlation analysis, it has been determined that this program is a controlled-end program generated using an open-source remote control management project.

Figure 3.8 Code comparison

The program collects basic information, such as the victim host’s IP address, computer name, memory size, username, operating system version, installed antivirus software, etc., to construct the online package.

Figure 3.9 Collecting basic information from the victim host to construct the online package

The program serializes and compresses the constructed online package before sending it to the C2 server.

Figure 3.10 Serializing and compressing the online package

The program possesses various functionalities, including remote voice, file management, keyboard input recording, registry management, remote desktop, cmd command execution, startup item management, system management, TCP connection management, remote monitoring of the camera, downloading and executing other programs, and more.