An operation from the China-based cybercrime gang known as DoubleGun Group has been disrupted, which had amassed hundreds of thousands of bots that were controlled via public cloud services, including Alibaba and Baidu Tieba.
NetLab 360 researchers, in a recent posting, said that it noticed DNS activity in its telemetry that traced back to a suspicious domain (pro.csocools[dot]com) controlling mass amounts of infected Windows devices. Analysis of the command-and-control (C2) infrastructure of the operation and the malware used to build the botnet showed that the effort could be attributed to a known threat group – DoubleGun, a.k.a. ShuangQiang.
“In the past, this [group] has been exposed by multiple security vendors, but it has revived and come back with new methods and great force,” NetLab 360 researchers wrote.
The latest campaign spread malware via pirate gaming portals, they added. Meanwhile, the gang used Alibaba Cloud storage and China’s largest online community, Baidu Tieba, to host configuration files; and URL addresses hosted by Tencent Weiyun were used to manage the activity of the infected hosts, researchers said.
“The campaign lures users who play underground games to install game-launching software that contains malicious code,” according to the analysis. “Clicking the download link will jump to a corresponding private server homepage where users are supposed to be able to download a game-launching patch. When user installs and launches the ‘patch,’ the malicious code accesses the configuration information server, and then downloads and dynamically loads the latest version of the malicious program named cs.dll from Baidu Tieba.”
Under the Hood
The file cs.dll is hidden in image files hosted on Baidu Tieba. Each image contains separate image data and malicious code data. The key string in cs.dll also uses a deformed and customized DES encryption method, which is highly similar to DoubleGun samples that the researchers have captured before, they said.
“cs.dll will perform some simple virtual machine and anti-software countermeasures, and use the Baidu statistics service to report bot information [to the C2],” according to the analysis. “[It uses] the system API to create the bot ID of the host and write it to the registry ‘SOFTWARE\PCID.'”
After the Bot ID is established, the DoubleGang Group used standard fields within the Baidu statistics interface to report sensitive information about the host.
“Because Baidu statistical service is used by a large number of websites, it is difficult to distinguish it, which makes it more difficult for security vendors to see and take action,” the researchers explained. “The interface gives the bot author the ability to upload statistics scripts this.b.v, user cookies, Bot ID and other statistical information so the author can easily manage and assess the infected users.”
A third-stage driver is then deployed, which fetches additional configuration information, also obfuscated with deformed DES encryption.
“After decryption, you can see that the configuration information uses a custom format,” said the researchers. “Two Baidu pictures form a group, and the valid data is intercepted and stitched into a valid file. All configuration information returned by the driver samples contains a Tencent Weiyun address. This looks like a strategy for dynamically generating configuration file server addresses. We speculate that it may be a function in the development stage, so the sample code does not contain the corresponding code yet.”
Once the malware is installed, the operators were then able to hijack system processes and download subsequent malicious programs.
“The DLL obtains the configuration server related information by calling the driver,” according to researchers. “According to the downloaded configuration information, it goes to Baidu Tieba to download other malicious code to carry out the next stage of malicious activities.”
All related services vendors took actions against the abuse according to NetLab 360, helping to shutter the campaign.
“Based on the massive threat intelligence, Baidu security anti-underground-economy platform had taken cooperate actions to calculate the botnet’s infection, provide risk warnings to infected users and eventually blocked all the malware download,” according to a media statement from Baidu. “During this joint action, we had a better understanding of DoubleGun Gang’s technical means, logic and rules, by sharing, analyzing, and response to the related threat intelligence.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.