##### Unveiling TeleBoyi: Chinese APT Group Targeting Critical Infrastructure Worldwide ###### Yi-Chin Chuang, Yu-Tung Chang ----- ### $whoami ###### Yi-Chin Chuang - Threat Intelligence Researcher @ TeamT5 - Focus on APAC APT ###### Yu-Tung Chang • Threat Intelligence Researcher @ TeamT5 • Focus on APAC APT • Speaker of Conferences: Code Blue ----- ### Agenda ###### 01 Introduction 02 Dive into TeleBoyi 03 Relation with other APT groups 04 Conclusion ----- # Introduction ----- ### TeleBoyi Profile - 猼訑(Boyi) - China-nexus APT group - Since 2014 - Targeted Country: - Worldwide, especially APAC region - Targeted Industry: - Critical Infrastructure, mainly Telecom - Malware: - PlugX, LibreCoin, DoubleShell, TripleZero, … ----- ### Target Scope ###### Americas Europe ###### APAC Region ----- ### Target Industry ###### Telecommunications ###### Information Technology Critical Manufacturing ###### Financial Services ###### Government Facilities Healthcare Energy Nuclear ----- ### Chinese APT Targeting CI - ChamelGang (CamoFei) - Target : Energy and Aviation in Russia - other victims : ###### • APT41 (Amoeba) • Target Industry : ###### … ###### • Target Scope : North America, Europe, Asia ----- ### Chinese APT Targeting CI (Cont.) - Volt Typhoon - Target Industry : - Target Country : ###### … ----- ### Reason for Chinese APT targeting CI - Espionage and Information Gathering - ChamelGang - Technology Theft - APT41 - Preparation for Future Operations - Volt Typhoon ----- ### Operation ‘Harvest’ - Reported by McAfee - Cyber espionage - Observed in 2019/2020 - Backdoor - PlugX, Winnti - C2 - sery.brushupdata.com - center.asmlbigip.com - sec.asmlbigip.com ----- ### Timeline ###### 2017/05 2018/05 2015/03 2017/03 2015/11 2017/08 2018/08 2016/11 2015 2016 2017 2018 2019 2020 ###### 2017/03 ###### 2018/08 ###### 2019/12 ----- ### Timeline ###### 2017/05 Targeting telecom 2018/05 2015/03 2017/03 2015/11 2017/08 2018/08 2016/11 2015 2016 2017 2018 2019 2020 ###### 2017/03 ###### 2018/08 ###### 2019/12 ###### Targeting financial ----- ### Timeline (Cont.) ###### Overlap with Operation ‘Harvest’ 2022/04 2023/01 2023/06 2021/04 2021/07 2020/07 2020/04 2022/08 2023/08 2023/12 2020 2021 2022 2023 ###### 2020/05 ###### 2021/06 ###### 2022/07 ###### 2022/12 ----- ### Timeline (Cont.) ###### Targeting energy 2022/04 2023/01 2023/06 2021/04 2021/07 2020/07 2020/04 2022/08 2023/08 2023/12 2020 2021 2022 2023 ###### 2020/05 ###### 2021/06 ###### 2022/07 ###### 2022/12 ###### Targeting telecom ----- ### Timeline (Cont.) ###### 2022/04 2023/01 2023/06 2021/04 2021/07 2020/07 2020/04 2022/08 2023/08 2023/12 2020 2021 2022 2023 ###### 2020/05 ###### 2021/06 ###### 2022/07 ###### 2022/12 ----- ### TeleBoyi’s interest in the CI - Telecommunication - Cooperating to develop 5G networks in Turkey. - China’s telecom products have been banned in India and Vietnam. - Semiconductor - The semiconductor tech blockade. - Energy - Investment in the energy sector in both Thailand and Brazil. ----- # Dive into TeleBoyi ----- ### Malware Delivery - Fake Applications/Documents - Disguise malware as fake application or documents - Malicious document files - Document with macro, HTA - Exploit Public-Facing Application ----- ### Fake Applications/Documents - Ofis_personeli_yolsuzluk_raporu.exe - Turkish, translate: Office staff corruption report - 無法注冊網頁出現亂碼.exe - Translate: Unable to register, the webpage is garbled - News about National *** *** University.exe ----- ### Malicious Document Files ###### Macro ###### 詳細信息.doc ###### Download PlugX dropper C2 server ----- ### Exploit Public-Facing Application ###### Java Deserialize vulnerability Exchange vulnerability Struts2 S2-045 … China Chopper Godzilla TeleBoyi Server Webshell ----- ### Malware Packing - Self-Extracting Archive (SFX) - Flexible deployment - Disguise malware as fake application or document - Easier installation by macro/HTA - Easier installation through webshell - Icons ----- # TeleBoyi’s Arsenal ----- ### TeleBoyi’s Arsenal - Malware - PlugX - Winnti - ShadowPad - DeedRAT - TripleZero (Mélofée) - LibreCoin (RatelS) - DoubleShell - FakeWorker - CobaltStrike - Sliver - AsyncRAT - Hacking tool - Web shell - Credential dumping ###### tool - Others ----- ### PlugX - First seen: 2008 - A modular malware with multiple capabilities - Used by several Chinese APT groups - TeleBoyi, APT41, Mustang Panda, APT27, menuPass, and more ----- ### TeleBoyi’s Custom Loader - Payload ###### 1. Initial seed as the argument - PlugX - CobaltStrike - Packer - Themida - VMProtect - Payload decryption - XOR - String decryption - Pseudo random generation (PRNG) ###### 1. Initial seed as the argument 3. Decrypt string with a pseudo-random value ----- # TeleBoyi’s PlugX vs. Other Threat Actors’ PlugX? ----- ### TeleBoyi’s PlugX - Special configuration password - &&%*%@! (shift + 7758521) - 7758521 - 亲亲我吧我爱你, which means “Kiss me I love you” ----- ### LibreCoin - Alias - RatelS - First seen - 2022/03 - Connection - Reverse mode - Listen mode - Protocol - TCP - HTTP/HTTPS - TLS - Capability - Command shell - File operations - Proxy - Screenshot - Keylogger - And more... ----- ### LibreCoin – Execution Flow ###### DLL side- loading ###### Read file and decrypt with RC4 Payload Loader libvlc.dll usost.ppt Decrypted as shellcode Read file and decrypt with Inject RC4 Config LibreCoin svchost.exe usost.cab ###### Shellcode loader ----- # Something Interesting About This Shellcode Loader... ----- ### Shellcode Loader - Special API hashing - ROR12 - Payload decryption - XOR + LZNT1 - Reflective DLL injection - Shared among certain Chinese APT groups - LibreCoin - Earth Berberoka’s CoinLess (the variant of CLAMBLING) - FamousSparrow’s CobaltStrike - GroundPeony’s micDown ###### ROR12 ----- ### DoubleShell - First seen - 2020 - Multi-staged - Capability - Disk management - File management - Screenshot - Command shell ----- ### DoubleShell – Execution Flow ###### Read and decrypt Decrypt resource with a custom with a custom DLL side algorithm algorithm loading Launcher Loader Payload ###### oleview.exe ###### ClassicExplorer32.dll ###### InstallDll.dll EdgeUpdate.dat ###### DiskManagerController FileTransferController ScreenCtroller TerminalController ###### Shellcode MainServer.dll ###### work() Download ----- ### DoubleShell – Custom Algorithm - Load resource - Extract binary blob from even-numbered ###### offsets of resource Decrypt with a custom algorithm ###### ClassicExplorer32.dll ###### InstallDll.dll ## ? ----- #### DoubleShell – Custom Algorithm ###### 1. XOR decrypt a string as “c3nz9x” 2. Try all the permutation of string “c3nz9x” as RC4 key to decrypt it; if the result matches the key, the result will be a 2nd RC4 key 3. Decrypt it using the 2nd RC4 key 4. The first 16-byte will be 3rd RC4 key ----- ### DoubleShell – Dead Drop Resolver ###### Legitimated site https://sites.google.c om/site/xxxxxxxxxx/ Config 185.236.78.3 DoubleShell’s config New C2 server ----- ### FakeWorker - First seen - 2022/04 - Target - Linux - Capability - Upload file - Download file - Pseudo terminal (pty) - Command code - CMD$0X| (X:1~7) ###### Command code: CMD$04| Terminate pseudo terminal (pty) ----- ### FakeWorker - Protocol - KCP - C2 communication - XOR encryption - XOR key: 99 (0x63) ----- # C&C Infrastructure ----- ### C&C Infrastructure - Consists of ###### Targeted Sector - VPS server ###### Semiconductor - Compromised ###### website Telecommunication - Domains containing ###### companies related to Aerospace the target |ucture|Col2|42| |---|---|---| |Targeted Sector|C&C Domain|Legitimate Company| |Semiconductor|asmlupdata.com, center.asmlbigip.com, sec.asmlbigip.com|ASML| |Telecommunication|idupea.controlliamo.com|Idea Cellular| |Aerospace|fanuc.gre6gbuf4f.com|FANUC| |Cryptocurrency|erc.acefinance.asia, www.acefinance.asia, acefinance.asia|ACE Exchange| ----- ### C&C Infrastructure - Domains containing famous companies |Legitimate Company|C&C Domain| |---|---| |Microsoft|microsoftupdatebaks.ns0.it, newupdatemicrosoft.homepc.it, microsoftstate.homepc.it, sery.mirsoftcheckie.com| |Google|dategoogle.ns0.it, googlegmail.ns0.it| |LINE|cdn.statics12.line-mychat.com, cdn.static10.line-mychat.com| |PChome|pc.pchomecache.com, cdn.pchomecache.com| ----- # Relation with other APT groups ----- #### Relation with other APT groups ###### TeleBoyi Windows ver. Shellcode Loader CoinLess (variant of Chengdu Winnti TripleZero CLAMBLING) (Mélofée) ###### LibreCoin (RatelS) ###### micDown ----- #### Relation with other APT groups ###### TeleBoyi Windows ver. Shellcode Loader CoinLess (variant of Chengdu Winnti TripleZero CLAMBLING) (Mélofée) ###### LibreCoin (RatelS) ###### micDown ----- #### Relation with other APT groups ###### TeleBoyi Windows ver. Shellcode Loader CoinLess (variant of Chengdu Winnti TripleZero CLAMBLING) (Mélofée) ###### LibreCoin (RatelS) ###### micDown ----- ### Relation with other APT groups - Potential collaboration between TeleBoyi and other APT groups, including ###### APT41, Earth Berberoka, SLIME40 - Malware supply chain among these groups due to malware sharing ----- # Conclusion ----- ### Key Takeways - TeleBoyi is a Chinese APT group that targets critical infrastructure worldwide - TeleBoyi leverages three different ways to gain initial access, including fake ###### applications, malicious documents, exploit public-facing application - TeleBoyi relies on shared tools heavily; we also found two malware named ###### DoubleShell and FakeWorker that have not been disclosed before - TeleBoyi has a close connection with APT41, Earth Berberoka, and SLIME40 - Chinese APT groups tend to use shared tools in their attacks nowadays ----- # THANK YOU! ###### Yi-Chin Chuang rax@teamt5.org ###### Yu-Tung Chang tako@teamt5.org -----