Analysis of the Suspected APT Attack Activities by “Silver Fox”
Author: Knownsec 404 Advanced Threat Intelligence Team
Chinese version: https://paper.seebug.org/3192/
1 overview
Recently, Knownsec 404 Advanced Threat Intelligence Team discovered a phishing website impersonating employees of critical national institutions and cybersecurity companies during routine monitoring. Through this website, a batch of samples was captured and eventually confirmed to likely belong to the Silver Fox group’s commonly used Winos remote control samples. Unlike previous exposures, this time multiple samples not only used VMP protection to obfuscate the code, but the impersonated targets also differed significantly from past behavior. Previously, Silver Fox’s activities primarily targeted tax and finance personnel by impersonating tax-related links and websites. This time, their focus has shifted directly to national institutions and security companies. This shift compels us to reassess the attack purposes of this cybercrime group: are they merely a criminal organization, or is there an APT attack lurking behind the scenes?
As the analysis and tracing of the samples deepened, we also discovered the group’s PowerShell obfuscation tool (Out-EncodedSpecialCharOnlyCommand), as well as a previously unexposed downloader trojan. The following will provide a detailed description of the recent activities of the Silver Fox group.
2 Background of the organization
Since 2022, the Silver Fox cybercrime group has become increasingly active, typically using various channels to widely distribute trojans ,such as email, phishing websites, and instant messaging software. In recent years, they have focused on key positions within enterprises and institutions, such as finance, accounting, and sales, attempting to illicitly gain profit through malicious means. Security vendors generally describe them as an organization engaged in cybercrime activities.
3 Synthesis of samples
The discovery of this recent Silver Fox attack started with our tracking of a phishing website that impersonated critical national institution websites, as shown in the image below.
Additionally, we found a phishing page impersonating an employee system of a certain cybersecurity company within the same asset, as shown in the image below.
During our tracking process, we discovered a large number of malicious files associated with this website. In terms of timing, this attack activity was most active in June.
The malicious files are mainly Winos Trojan, UpdateDll downloader downloader, and powershell obfuscation tool Out-EncodedSpecialCharOnlyCommand, of which Winos is a payload that the Silver Fox group has repeatedly used in previous attacks targeting tax and finance personnel. This analysis will focus only on the changes in this payload.
3.1 Analysis of Winos
The attackers have disguised the sample as a 360 chrome browser, with icons and properties that directly reflect this deception.
The current Winos samples all use VMP (Virtual Machine Protect) for code protection, aimed at thwarting analysis by security personnel.
The registry entry where the shellcode is stored in this instance is “HKCU\Console\huorongniubi”.
The functionality and code flow in other parts are almost the same as previously exposed versions, so we won’t repeat them here.
3.2 Description of UpdateDll downloader Function
The initial sample, originally named Simple_ATL.DLL, primarily functions by writing hardcoded data into C:\Windows\system32\UpdateDll.dll and subsequently executing it using rundll32. Here are the details:
Write “MZ” into UpdateDll.dll and then reads data from a specified offset to write into this file:
Use rundll32 to load and execute the UpdateMyDll export from UpdateDll.dll.
The main function exported by UpdateMyDll is to download a DLL from a specified address and execute it. Before downloading, it will check if the file exists. If it does, the execution will end; if not, it will request data from a specified link that indicates the length of the subsequent data to be downloaded.
Download the DLL file and verify if its size matches the previously obtained size. If they do not match, the DLL will be deleted; if they match, it will be loaded and executed using rundll32.
## 3.3 Out-EncodedSpecialCharOnlyCommand
Out-EncodedSpecialCharOnlyCommand is a tool that converts PowerShell script code into pure symbol code, which can be used by attackers to enhance the obfuscation of malicious payloads. The principle of the tool is to convert powershell code into obscure character code through a customized character mapping table.
We conducted tests using the character code generated from the example and found that it successfully executes the original code.
Currently, there is no evidence suggesting that this group is using the script to generate corresponding obfuscated code.
4 summary
From the Winos samples captured this time, it’s evident that this attacking group has invested effort in countering analysis and actively expanding its arsenal. In terms of the attribution of this attack, Winos has been widely spread in China, especially utilized extensively by the “Silver Fox” cybercrime group. However, the targets of this recent attack are very different from the previous ones, indicating a departure from typical cybercrime activities. There’s a possibility that this attack involves a deliberate attempt by an APT group to blend in with cybercrime activities for covert purposes. Knownsec 404 Advanced Threat Intelligence Team will continue tracking such activities closely.
We would like to remind all Internet users to beware of phishing websites. Please verify the authenticity of the website as official before engaging in sensitive activities (such as logging in or downloading software). Do not click on links or emails of unknown origin, instead, inform security personnel for appropriate handling under secure conditions.
5 IOC
Hash:
7468dd569c6c4087426012c9bb1b1227 Winos
41d9f4201c9090f2009727664431e80d Winos
a2cf4b57001f590bd3060f988bc070f2 UpdateDll downloader
766fbc49bec3c59a149370806ba2194e Out-EncodedSpecialCharOnlyCommand
C2:
6014.anonymousrat5.com:5555
6014.anonymousrat6.com:8888
6014.anonymousrat7.com:80
