Overview 概述
QiAnXin Threat Intelligence Center discovered an unusual behavior during routine endpoint operations, where a process named WindowsPackageManagerServer, through complex operations, eventually initiated the undetected Lumma Stealer. We promptly initiated an investigation and ultimately found the corresponding malicious installation package on the Microsoft App Store, presenting itself as the Russian version of the 7Zip software. Our tests confirmed that the official 7ZIP installation program was not available on the Microsoft App Store. However, the malicious installation package would appear when users searched for keywords related to “7z.”
奇安信威胁情报中心在例行的端点操作中发现了一个异常行为,一个名为 WindowsPackageManagerServer 的进程通过复杂的操作,最终启动了未被检测到的 Lumma Stealer。我们迅速展开调查,最终在Microsoft App Store上发现了相应的恶意安装包,自称是俄罗斯版的7Zip软件。我们的测试证实,官方的7ZIP安装程序在Microsoft App Store上不可用。但是,当用户搜索与“7z”相关的关键字时,会出现恶意安装包。
We immediately reported the situation to Microsoft, and as of now, the malicious software has been removed from the Microsoft App Store. The timeline of the report is as follows:
我们立即向Microsoft报告了这一情况,截至目前,该恶意软件已从Microsoft App Store中删除。报告的时间表如下:
Upon tracing, we found that this installation package first appeared in January 2023 and evaded detection for almost a year. Internally, we named this group UTG-Q-003 and publicly disclosed the details of the incident and IOCs to the open-source community for analysis and investigation by fellow security vendors.
经过追踪,我们发现该安装包于 2023 年 1 月首次出现,并逃避了近一年的检测。在内部,我们将这个组织命名为UTG-Q-003,并向开源社区公开披露了事件和IOC的细节,供其他安全供应商分析和调查。
Attack Chain 攻击链
It remains unclear how the attackers managed to upload the malicious installation package to the Microsoft App Store. According to QiAnXin’s big data platform, the earliest download of the 7z-soft software occurred on March 17, 2023. The execution chain is as follows:
目前尚不清楚攻击者如何设法将恶意安装包上传到Microsoft App Store。根据钱信大数据平台的数据,7z-soft软件最早的下载时间是2023年3月17日。执行链如下:
JPHP is an open-source project that uses the Java virtual machine to execute PHP code, compiling PHP source code into Java bytecode and running it inside the JVM. This results in effective evasion of detection. Attackers utilized the JPHP library function “jurl” to download subsequent payloads from a remote server.
JPHP是一个开源项目,它使用Java虚拟机来执行PHP代码,将PHP源代码编译成Java字节码并在JVM中运行。这导致有效地逃避检测。攻击者利用 JPHP 库函数“jurl”从远程服务器下载后续有效负载。
To maintain a prolonged evasion period, the attackers frequently updated payloads on their C2 server. We observed 2~3 soft.exe files with different MD5 hashes being requested daily. The primary goal was to steal various types of files, including txt, doc, rdp, key, wallet, seed, lnk, etc. The involved malware families were Redline Malware, Lumma Stealer, and Amadey.
为了保持较长的规避期,攻击者经常更新其 C2 服务器上的有效负载。我们观察到每天请求 2~3 个具有不同 MD5 哈希值的软 .exe 文件。主要目标是窃取各种类型的文件,包括 txt、doc、rdp、key、wallet、seed、lnk 等。涉及的恶意软件家族是 Redline 恶意软件、Lumma Stealer 和 Amadey。
Based on VirusTotal data, we observed that 7z-soft.exe had alternative download methods besides being delivered through the Microsoft App Store.
根据VirusTotal数据,我们观察到7z-soft.exe除了通过Microsoft App Store交付外,还有其他下载方法。
The mentioned URLs are currently inaccessible. However, historical data reveals that after requesting the domain (“deputadojoaodaniel.com.br”), it redirected to a link hosted on cdn.discordapp.com.
上述 URL 目前无法访问。然而,历史数据显示,在请求域名(“deputadojoaodaniel.com.br”)后,它重定向到托管在 cdn.discordapp.com 上的链接。
Inspection of the historical HTML pages of both domains showed that they were WordPress websites, indicating that UTG-Q-003 likely invaded WordPress sites and used them as a springboard to store payloads and implement webpage redirection. This attack method is prevalent among Russian-speaking groups.
对两个域的历史 HTML 页面的检查表明它们是 WordPress 网站,这表明 UTG-Q-003 可能入侵了 WordPress 网站,并将其用作存储有效载荷和实现网页重定向的跳板。这种攻击方法在俄语群体中很普遍。
In October, we detected a direct redirection from “analiticaderetail.com” to the “browserneedupdate.com” page. Our analysis indicated another attack chain by the attackers, involving a social engineering attack leveraging the Chrome browser’s message push mechanism. The attack process is as follows:
10 月,我们检测到从“analiticaderetail.com”页面直接重定向到“browserneedupdate.com”页面。我们的分析表明,攻击者的另一条攻击链涉及利用 Chrome 浏览器的消息推送机制进行社会工程攻击。攻击过程如下:
Attackers have created a relatively realistic Cloudflare DDoS protection page, claiming that the domain is currently under a DDoS attack. Subsequently, a fake human verification dialog appears, enticing victims to click.
攻击者创建了一个相对逼真的 Cloudflare DDoS 保护页面,声称该域当前正遭受 DDoS 攻击。随后,出现了一个虚假的人工验证对话框,诱使受害者点击。
Upon clicking, a new page is launched, redirecting to the “brolink2s.site” domain and loading a JavaScript (JS) script. The JS script primarily functions to display notifications and lure victims into clicking the allow button.
单击后,将启动一个新页面,重定向到“brolink2s.site”域并加载 JavaScript (JS) 脚本。JS 脚本主要用于显示通知并引诱受害者单击允许按钮。
Once the victim chooses “allow” option, the website is added to Chrome’s push notification list, enabling notifications applicable to every platform (MAC, Windows, Android).
一旦受害者选择“允许”选项,该网站就会添加到 Chrome 的推送通知列表中,从而启用适用于每个平台(MAC、Windows、Android)的通知。
Even if the victim’s browser is closed, the attacker can still push relevant links through Windows notifications. The push effect is illustrated as follows:
即使受害者的浏览器关闭,攻击者仍然可以通过 Windows 通知推送相关链接。推送效果如下图所示:
We have observed a total of 10 domains redirecting to “browserneedupdate.com” from October to the present. The domain types include movie resource sites and software development, suggesting that in the first stage of the attack, the attacker could deliver phishing emails inducing victims to enable message notifications. By leveraging legitimate website invasions for redirection, they could bypass email gateway detection. In the second stage, based on the target host’s platform, the attacker can push customized phishing links, enticing victims to download and open bait files. This social engineering method is more credible than phishing emails prompting users to update software and is highly covert.
从10月到现在,我们观察到共有10个域名重定向到“browserneedupdate.com”。域类型包括电影资源站点和软件开发,这表明在攻击的第一阶段,攻击者可以发送网络钓鱼电子邮件,诱使受害者启用消息通知。通过利用合法的网站入侵进行重定向,他们可以绕过邮件网关检测。在第二阶段,攻击者可以基于目标主机的平台,推送自定义的钓鱼链接,诱使受害者下载和打开诱饵文件。这种社会工程方法比提示用户更新软件的网络钓鱼电子邮件更可信,并且非常隐蔽。
| Domain 域 |
| analiticaderetail.com analiticaderetail.com |
| creatologics.com creatologics.com |
| www.50kmovie.com www.50kmovie.com |
| linta.software linta.软件 |
| captionhost.net captionhost.net |
| www.bcca.kr www.bcca.kr |
| opwer.top opwer.top |
| fms.net.br fms.net.br |
| leanbiome-leanbioome.com leanbiome-leanbioome.com |
| zuripvp.tk zuripvp.tk |
| creatologics.com creatologics.com |
In addition, UTG-Q-003 has also delivered installation packages of the following types, all based on the JPHP framework.
此外,UTG-Q-003还交付了以下类型的安装包,全部基于JPHP框架。
Attribution and Impact 归因和影响
Based on telemetry data from QiAnXin Threat Intelligence Center, the number of downloads of this installation package from the Microsoft App Store has significantly increased since August. We suspect it may be related to the WinRAR vulnerability. Approximately four to five days after the public disclosure of the EXP for CVE-2023-38831, APT groups from East Asia initiated phishing attacks on mainland China. Some organizations may have requested employees to use compression software other than WinRAR. Additionally, domestic search engines have been manipulated by SEO black hat groups, making it difficult to find the official 7zip download site. Consequently, some users have to downloading 7zip from the Microsoft App Store, leading to compromise.
根据奇安信威胁情报中心的遥测数据,自 8 月以来,该安装包从 Microsoft App Store 的下载量显着增加。我们怀疑它可能与 WinRAR 漏洞有关。在 CVE-2023-38831 的 EXP 公开披露大约 4 到 5 天后,来自东亚的 APT 组织对中国大陆发起了网络钓鱼攻击。一些组织可能要求员工使用 WinRAR 以外的压缩软件。此外,国内搜索引擎也被SEO黑帽集团操纵,很难找到官方的7zip下载网站。因此,一些用户必须从Microsoft App Store下载7zip,从而导致妥协。
This explains why negative reviews on a Russian malicious installation package are submitted by Chinese users, which may seem ironic but reflects the current poor ecology of software downloads in China.
这就解释了为什么中国用户对俄罗斯恶意安装包的负面评论,这似乎具有讽刺意味,但反映了目前中国软件下载的不良生态。
The registration information for the domains used by the attackers is related to Russia and Ukraine, but we cannot obtain information about foreign victims, especially in Russian-speaking regions. Therefore, relevant attribution cannot be determined.
攻击者使用的域名的注册信息与俄罗斯和乌克兰有关,但我们无法获得有关外国受害者的信息,尤其是在俄语地区。因此,无法确定相关归属。
Conclusion 结论
Currently, all products based on QiAnXin Threat Intelligence Center’s threat intelligence data, including QiAnXin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, QiAnXin NGSOC, QiAnXin Situational Awareness, etc., already support accurate detection of such attacks.
目前,所有基于千信威胁情报中心威胁情报数据的产品,包括千信威胁情报平台(TIP)、天擎、天眼高级威胁检测系统、千信NGSOC、千信态势感知等,都已经支持对此类攻击的精准检测。
IOC
For detailed IOC regarding UTG-Q-003, please refer to QiAnXin Threat Intelligence Center’s Red Raindrop Team Github [1].
有关 UTG-Q-003 的详细 IOC,请参阅 QiAnXin 威胁情报中心的 Red Raindrop 团队 Github [1] 。
Reference Link 参考链接
[1]. https://github.com/RedDrip7/APT_Digital_Weapon/tree/master/UTG-Q-003
[1]. https://github.com/RedDrip7/APT_Digital_Weapon/tree/master/UTG-Q-003
原文始发于红雨滴团队:UTG-Q-003: Supply Chain Poisoning of 7ZIP on the Microsoft App Store
转载请注明:UTG-Q-003: Supply Chain Poisoning of 7ZIP on the Microsoft App Store | CTF导航
相关文章
