{
	"id": "09b81461-5199-47cf-a8fa-03bba45faa62",
	"created_at": "2026-05-01T03:10:08.299437Z",
	"updated_at": "2026-05-01T03:10:50.679319Z",
	"deleted_at": null,
	"sha1_hash": "53e29acc2d43c953867b5f1146a3c2fd88a29621",
	"title": "The Art of Cyberwarfare",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3409274,
	"plain_text": "The Art of Cyberwarfare\r\nArchived: 2026-05-01 02:13:41 UTC\r\nIn mid-May 2021, experts from SOLAR JSOC and the National Computer Incident Response \u0026 Coordination Center\r\n(NCIRCC) released a joint report on a series of targeted attacks detected in 2020. According to the report, the attackers\r\ntargeted Russian federal executive authorities.\r\nWhile analyzing the report, Anastasia Tikhonova (Head of APT Research at Group-IB) and Dmitry Kupin (Senior\r\nMalware Analyst) noticed that they had already come across similar tools in earlier attacks.\r\nChinese APTs are one of the most numerous and aggressive hacker communities. Several dozen groups conduct attacks\r\nin countries all over the world, and Russia is no exception. Hackers mostly target state agencies, industrial facilities, military\r\ncontractors, and research institutes. The main objective is espionage: attackers gain access to confidential data and attempt to\r\nhide their presence for as long as possible. There have been cases when attackers successfully persisted in the victim’s\r\nnetwork for several years.\r\nUnfortunately, the SOLAR JSOC and NCIRCC report did not provide indicators of compromise, so the experts had to rely\r\non descriptions of the functionality and screenshots of the malicious code. As a result, Group-IB’s researchers came up with\r\nsome interesting conclusions about which Chinese groups could be behind the attacks against Russian federal executive\r\nauthorities in 2020, what tools they used, and how their malware has evolved since.\r\nKey conclusions\r\nThe research describes Webdav-O malware detected in attacks against Russian federal executive authorities in 2020.\r\nGroup-IB experts detected two versions of the Webdav-O Trojan for x86 and x64 systems.\r\nWhen comparing parts of the code, the specialists proved that the Webdav-O x64 Trojan was used in attacks against\r\nRussian federal executive authorities. The malware has existed since at least 2018.\r\nGroup-IB specialists established that Webdav-O has a set of commands similar to a popular Trojan called\r\nBlueTraveller (aka RemShell), which was developed in China and has been linked to the hacker group called\r\nTaskMasters.\r\nBefore that, Sentinel Labs released a report about malware called Mail-O, which was also identified in attacks against\r\nRussian federal executive authorities. Mail-O was deemed to be linked to the Chinese hacker group TA428.\r\nGroup TA428 is known to use a Trojan called Albaniiutas in their attacks. Group-IB’s analysis showed that\r\nAlbaniiutas is an updated version of BlueTraveller.\r\nGroup-IB experts believe that either both Chinese hacker groups (TA428 and TaskMasters) attacked Russian federal\r\nexecutive authorities in 2020 or that there is one united Chinese hacker group made up of different units.\r\nTA428 is a Chinese state-sponsored hacker group that has been operating since 2013. The attackers target a number of\r\ngovernment agencies in East Asia that control governmental information technology, domestic and foreign policy, and\r\neconomic development. TaskMasters (aka BlueTraveller) is a state-sponsored Chinese hacker group that allegedly has\r\nbeen active since at least 2010. The group attacks companies based in several countries, but many of their targets are located\r\nin Russia and CIS. The hackers target solid industrial and energy enterprises, government agencies, and transport companies.\r\nStarting point\r\nAs the experts put it: “The report dwells on the analysis of a series of targeted attacks“. Based on this information,\r\nwe assumed that several hacker groups may be behind the attacks.\r\nThe attackers used malware that interacted with management server via the cloud service called Yandex.Disk. The\r\nmalware was dubbed Webdav-O.\r\nAttackers also used malicious software that accessed the cloud service Mail.ru. The malware was dubbed Mail-O.\r\nIn early June 2021, analysts from the American cybersecurity company Sentinel Labs released a report about Mail-O. The\r\nexperts wrote that Mail-O is a version of the relatively well-known malware called SManager, which is used by the Chinese\r\nhacker group TA428.\r\nGroup-IB specialists wanted to make sure that Mail-O is loader, while Smanager and Tmanger are Remote Access Trojans\r\n(RAT). However, a part of the code overlaps in the exported functions “Entery” and “ServiceMain” of Mail-O, SManager\r\nhttps://blog.group-ib.com/task\r\nPage 1 of 23\n\nand Tmanger, which brings us back to TA428. Moreover, hackers from TA428 have already been found to be involved in\r\nespionage against Russia, especially Russian state facilities.\r\nTo prove the hypothesis that TA428 was behind the attacks against Russian federal executive authorities in 2020, we decided\r\nto analyze a sample of Webdav-O. Group-IB Threat Intelligence \u0026 Attribution has detected similar malicious behavior\r\nbefore and can now explain why we link it to a specific group. Below we provide an analysis of Webdav-O samples and\r\nhighlight features that overlap with the points mentioned in the SOLAR JSOC and NCIRCC report.\r\n骑驴找马 [qí lǘ zhǎo mǎ] Verbatim translation: Ride a mule while looking for a horse. Definition: Use the tools you have\r\nwhile looking for something better.\r\nAnalysis of Webdav-O sample\r\nName 1.dll\r\nSHA1 c9e03855f738e360d24018e2d203142c7ae6c2ec\r\nCompilation timestamp 2018-07-12 03:08:01\r\nFirst Submission 2019-11-07 10:34:11\r\nDll Name y_dll.dll\r\nExport function ServiceMain\r\nFile “1.dll” is an x86 dynamic link library (DLL) that functions as a service in the system.\r\nThe analyzed file provides remote access to the command line shell (cmd.exe) and executes various commands originating\r\nfrom C2 on the compromised host.\r\nThe legitimate cloud service called Yandex.Disk (webdav.yandex.ru:443) is used as network infrastructure, namely C\u0026C.\r\nNetwork interaction with the cloud is implemented via the Webdav protocol. The authentication method is Basic.\r\nThe strings and configuration data are encrypted with the RC4 algorithm using the following key: { 8A 4F 01 47 34 C9 75\r\nF8 2B C8 C1 E9 D2 F3 A5 8B }. The key size is 16 bytes. The analyzed files can work with 1-7 accounts (in this case only\r\n2 are used, but we will come back to this later).\r\nFeatures of the sample\r\nhttps://blog.group-ib.com/task\r\nPage 2 of 23\n\n1. The exported ServiceMain function uses a random delay before the main code is executed.\r\n2. Yandex.Disk cloud accounts are checked for availability using the query “/?userinfo” (GET).\r\n3. The file “/test3.txt” is uploaded from “Yandex.Disk” (GET) and checked for the “Just A Test!” line. In case of success, the\r\nsystem checks for batch files in the “/test” directory of “Yandex.Disk” (PROFIND).\r\nhttps://blog.group-ib.com/task\r\nPage 3 of 23\n\n4. A command file is defined for downloading from the Yandex.Disk cloud (GET). The response from the server is\r\nprocessed. The name of the file with commands is between the tags:\r\n\u003cd:href\u003e[name of the command file]\u003c/d:href\u003e\r\n5. In the command file, the contents are encrypted using the RC4 algorithm. After downloading the command file, it is\r\ndeleted from Yandex.Disk (DELETE).\r\n6. The file “/test2.txt” is uploaded to Yandex.Disk (PUT). The file “/test2.txt” contains the line “Just A Test!“. The\r\nmechanism is presumably used to check the functioning of a malicious program.\r\n7. The file “/test2/[0-9]{1,4}[0-9]{1,4}.bin” is uploaded to “Yandex.Disk” (PUT). The file contains the command results.\r\nData is encrypted using the RC4 algorithm.\r\nDescription of the commands\r\nCommand Description\r\n-upload\r\nUploads the file to Yandex.Disk cloud storage. The file name is specified in the command. The file is\r\nsaved in the cloud under the following name: “[0-9]{1,4}[0-9]{1,4}.bin”. Response format: “##u##\r\n%s %s”.\r\n-download\r\nDownloads the file from Yandex.Disk cloud storage. The file name is specified in the command. The\r\ndownloaded file is deleted from Yandex.Disk. Response format: “##d## %s”.\r\n-quit Ends a session (exits the command execution flow).\r\n-setsleep Sets the waiting interval (in minutes) between command requests. Response format: “##s## %d”.\r\n[other\r\ncommand]\r\nRuns the command in the command line shell (cmd.exe).\r\nComparison with the sample presented in the SOLAR JSOC and NCIRCC report\r\nWhen analyzing the code uploaded to VirusTotal, we found many overlapping points with the Trojan described in the\r\nSOLAR JSOC and NCIRCC report. Some of the common features can be seen in the screenshot with the malware code,\r\nhttps://blog.group-ib.com/task\r\nPage 4 of 23\n\nwhich shows the receipt of the command files list in the test folder:\r\nComparison of the Webdav-O sample from the report (on the left) to the VirusTotal sample (on the right)\r\nComparison of Webdav-O samples\r\nWebdav-O sample from the report Webdav-O x86\r\nBasic authentication and OAuth Basic authentication\r\nList of commands (5):\r\n-upload\r\n-download\r\n-setsleep\r\n-quit\r\n[other command cmd.exe]\r\n-sleepuntil\r\nList of commands (4)\r\n-upload\r\n-download\r\n-setsleep\r\n-quit\r\n[other command cmd.exe]\r\nCommand response format:\r\n##u## %s %s (-upload)\r\n##d## %s (-download)\r\n##s## %d (-setsleep)\r\n##l## %s (-sleepuntil)\r\nCommand response format:\r\n##u## %s %s (-upload)\r\n##d## %s (-download)\r\n##s## %d (-setsleep)\r\nFile objects in Yandex.Disk storage:\r\ntest2.txt, test3.txt\r\n/test\r\n/test2\r\n/test2/%04d%04d.bin\r\ntest4.txt\r\ntest5.txt\r\ntest7.txt\r\nFile objects in Yandex.Disk cloud storage:\r\ntest2.txt, test3.txt\r\n/test\r\n/test2\r\n/test2/%04d%04d.bin\r\nGenerates an RC4 session key (contained in the file test7.txt\r\nin encrypted form). It is used to encrypt commands and their\r\nresults.*\r\nThe RC4 key is static and hardcoded into the program\r\nbody. It is used to encrypt commands and their results.\r\nThere are no hardcoded accounts in the program body since it\r\nis possible to use the authentication method using the OAuth\r\ntoken.*\r\nAccounts are static and hardcoded into the program\r\nbody. They are used for Basic authentication.\r\nhttps://blog.group-ib.com/task\r\nPage 5 of 23\n\n* Impossible to verify since there are no indicators (specifying Webdav-O file) in the report.\r\nAs you can see from our comparison of the two samples, Webdav-O from the SOLAR JSOC and NCIRCC report looks like\r\na newer, partially improved version of the Trojan that we detected on VirusTotal.\r\nComparison of Webdav-O with the code of the BlueTraveller (RemShell) sample\r\n见风转舵 [jiàn fēng zhuǎn duò] Verbatim translation: If you feel the wind – change direction. Meaning: Change your\r\ntactics to avoid difficulties.\r\nBased on a large database of analyzed malicious samples accumulated when searching and responding to cyber threats,\r\nGroup-IB’s specialists linked the detected Webdav-O sample to the BlueTraveller Trojan.\r\nTo prove our hypothesis, below we present a comparison of the Webdav-O x86 sample and the sample of BlueTraveller\r\n(RemShell) (SHA1: 6857BB2C3AE5F9C2393D9F88816BE7A10CB5573F).\r\nName netui4.dll\r\nSHA1 6857bb2c3ae5f9c2393d9f88816be7a10cb5573f\r\nCompilation timestamp 2017-03-03 09:13:08\r\nFirst Submission 2017-07-07 18:33:12\r\nDll Name client_dll.dll\r\nExport function ServiceMain\r\nFragments of the pseudocode for processing (receiving) the \"-upload\" command in the samples of Webdav-O\r\nFragments of the pseudocode for processing (receiving) the \"-upload\" command in the samples of BlueTraveller (RemShell)\r\nFragments of the pseudocode for processing (receiving) the \"-download\" command in the samples of Webdav-O\r\nFragments of the pseudocode for processing (receiving) the \"-download\" command in the samples of BlueTraveller\r\n(RemShell)\r\nFragments of pseudocode for processing (receiving) the \"-quit\" command in the sample of Webdav-O\r\nhttps://blog.group-ib.com/task\r\nPage 6 of 23\n\nFragments of pseudocode for processing (receiving) the \"-quit\" command in the sample of \"-exit\" command in the sample of\r\nBlueTraveller (RemShell)\r\nFragments of pseudocode for executing a command in the command line shell (cmd.exe) in the samples of Webdav-O\r\nFragments of pseudocode for executing a command in the command line shell (cmd.exe) in the samples of BlueTraveller\r\n(RemShell)\r\nOriginal name of DLL Webdav-O\r\n(DIRECTORY_ENTRY_EXPORT)\r\nDll name: y_dll.dll\r\nOriginal name of DLL BlueTraveller (RemShell)\r\n(DIRECTORY_ENTRY_EXPORT)\r\nDll name: client_dll.dll\r\nBased on the above comparison, we can draw the following conclusions:\r\n1. Similar DLL name (DIRECTORY_ENTRY_EXPORT – original DLL name)\r\n2. Same command names\r\n3. Same principle of command processing\r\n4. Feature allowing to execute commands in the command line shell (cmd.exe)\r\nhttps://blog.group-ib.com/task\r\nPage 7 of 23\n\nAccounts, passwords, and attribution\r\n路遥知马力, 日久见人心 [lù yáo zhī mǎ lì rì jiǔ jiàn rén xīn] Verbatim translation: Having overcome a long distance,\r\nyou will know a horse's endurance, and after a long time you will know what lies in a person's heart. Definition: Time\r\nreveals a person's true nature.\r\nLet’s go back to the analyzed sample of Webdav-O x86. When we decrypted the malware string, we found the following\r\n“login:password” for the attacker’s accounts used on Yandex.Disk.\r\nThe data discovered:\r\naleshaadams:7ujm!QAZ2wsx\r\ntstrobos:\u0026UJM1qaz2ws\r\nIf the account login is known, it is possible to recover the email address as follows:\r\ntstrobos@yandex.ru\r\naleshaadams@yandex.ru\r\nAttempt to recover the password for aleshaadams@yandex.ru\r\nhttps://blog.group-ib.com/task\r\nPage 8 of 23\n\nAttempt to recover the password for tstrobos@yandex.ru\r\nThe screenshots show that both accounts are linked to cellphone numbers in the same region (+86), which is the country\r\ncode for China.\r\nAnalysis of password generation\r\nIn 2019, Elmar Nabigaev (Deputy Director of Expert Security Center Positive Technologies) delivered a report entitled “The\r\nTaskMasters APT” (aka BlueTraveller) and gave examples of passwords discovered when investigating the malware\r\ncampaign:\r\nThe images above show that the passwords to the Webdav-O account were generated using a similar technique as\r\nTaskMasters. The only things that changed were the registry and the key row combination.\r\nhttps://blog.group-ib.com/task\r\nPage 9 of 23\n\nBlurring the boundaries\r\nConsidering all the comparisons made and the information discovered about the accounts, we believe that the Chinese\r\nhacker group TaskMasters is most likely behind the attacks involving an improved version of the Webdav-O Trojan. The\r\ncase of TA428, however, is still open to debate. Could both of them be behind the attack against Russian federal executive\r\nauthorities in 2020? Could there be someone else involved? Or was it the same group?\r\nWe will continue our investigation and seek more information for analysis. Let us take a look at the report about TA428 and\r\ntheir new tools, in particular the Trojan called Albaniiutas, which was released by NTT Security Corporation in 2020.\r\nExecuting Albaniiutas files, NTT report\r\nThe aim of our investigation is to study these two objects. Our reasoning will be presented below.\r\nFirst and foremost, we discovered some common points in the utility used to launch DLL:\r\nBlueTraveller Albaniiutas\r\n1.exe vjsc.dll\r\n\u003e6303CCE6747703E81A5A52DEC11A3BA7DB26EA4B 2FE6AF7CE84CB96AE640BB6ED25A7BA67591A11E\r\nUtility for registering and running DLL as a service in the\r\nsystem and for removing this service.\r\nDLL responsible for registering and running DLL as a\r\nservice in the system.\r\nLaunched in the command line shell (cmd.exe). Receives\r\nthe following command line arguments:\r\nC:\\Users\\IEUser\\Desktop\\1.exe Usage: install -i DllPath or\r\ninstall -u ServiceName\r\nUploaded by the file “Scrpt.exe” (SHA1:\r\nBC708ACDF6B8B60577268A0788F1E375CB3FFEB4)\r\n– legitimate signed file “vjc.exe”. Original DLL name:\r\n“ServiceAdd.dll”.\r\n“-i [DllPath]” – registering and running DLL as a service.\r\n“-u [ServiceName]” – deleting the specified service.\r\nCode parts of both utilities show the similarities in more detail. As can be seen, both samples use XOR encryption, which\r\neven displays identical debugging information.\r\nhttps://blog.group-ib.com/task\r\nPage 10 of 23\n\nFragments of code encrypted with XOR and debugging lines in BlueTraveller\r\nFragments of code encrypted with XOR and debugging lines in Albaniiutas\r\nFragments of code of the XOR encrypting function in BlueTraveller\r\nFragments of code of the XOR encrypting function in Albaniiutas\r\nMoreover, there are common points at the stage of establishing persistence in the system. The screenshots below show that\r\nthe same DLL name randomization occurs. The same description of the service under which this DLL will work is also\r\ndisplayed.\r\nhttps://blog.group-ib.com/task\r\nPage 11 of 23\n\nFragments of code with DLL name randomization in BlueTraveller\r\nFragments of code with DLL name randomization in Albaniiutas\r\nLet’s continue our comparative analysis and take a look at a sample of BlueTraveller\r\n(SHA1:6857BB2C3AE5F9C2393D9F88816BE7A10CB5573F) and a fileless RAT belonging to the Albaniiutas family.\r\nBlueTraveller Albaniiutas\r\nnetui4.dll –\r\n6857BB2C3AE5F9C2393D9F88816BE7A10CB5573F 08645D079ABE05B88201DB0FF1C9B1EC035035CA\r\nDLL is a RAT. Fileless DLL is a payload in the form of a RAT.\r\nLauched via service (exported function ServiceMain).\r\nUploaded by the file “XpEXPrint.dll / [a-z]{4}.dll” (SHA1:\r\nAE57D779AAC235E979FAE617599377A099B148AB). It\r\nis contained in resources in an encrypted form.\r\nOriginal DLL name: “client_dll.dll”. Original DLL name: “ClientX.dll”.\r\nWe also analyzed code parts that look very similar. For example, part of the pseudocode for executing commands in the\r\ncommand line shell (cmd.exe) is shown below.\r\nFragments of the code in BlueTraveller\r\nhttps://blog.group-ib.com/task\r\nPage 12 of 23\n\nFragments of the code in Albaniiutas\r\nNext, we analyzed the code parts of data processing received from the C\u0026C server:\r\nFragments of the code in BlueTraveller\r\nFragments of the code in Albaniiutas\r\nThe parts of code above show that the code in BlueTraveller is less sophisticated, but in both cases the separator “\\b” is used\r\nthree times (the strtok function). Below is an example of the data that Albaniiutas malware receives for each command:\r\nhttps://blog.group-ib.com/task\r\nPage 13 of 23\n\nFormat of the data received when executing commands (retrieved from the NTT report)\r\n1. If the command is executed multiple times, the command will not be executed unless a value other than the previous\r\none is specified.\r\n2. Separator\r\n3. If the value does not match the value in ③, the command will not be executed.\r\n4. Command identifier and command parameters separated by spaces.\r\nLet’s also compare the code fragments for checking and executing the commands received from the C\u0026C server:\r\nFragments of code in BlueTraveller\r\nFragments of code in Albaniiutas\r\nIt is clear that this part was updated by the hackers, but the commands remain the same:\r\nCommand Options Description\r\n-exit\r\nTerminates the function for receiving and\r\nprocessing commands (exiting the flow)\r\n-download Downloads URLs or Path to the storage directory Downloads a file from the C\u0026C server\r\nhttps://blog.group-ib.com/task\r\nPage 14 of 23\n\nCommand Options Description\r\n-upload\r\nPath to the file on the infected device or Part of path\r\nof the URL-address during the upload\r\nUploads a file to the C\u0026C server\r\n(command) Command arguments\r\nExecutes the command with cmd.exe and\r\nreturns the result to the C\u0026C server.\r\nIn addition, the two Trojans have a similar pattern of communicating with the control server in the protocols of network\r\ninteraction with the C\u0026C server. Below is an example of network communication with the C\u0026C server, taken from\r\nBlueTraveller samples available on VirusTotal.\r\nBlueTraveller Albaniiutas\r\nhttp://45.32.188[.]226/0000/1301/0024/4u/i7fr09bGus+Wyt7iyjos=\r\nhttp://go.vegispaceshop[.]org/home/2252/0108/IKNYF6oSkYtpU60GfnS27f\r\n8QIRN2+6+O3gKV6ODd2mEPNo7tYi1+ePOSmFzMlUY1ciJ1\r\nA0XSw8aOkJzTDXITxdSNo74=\r\nTemplate: [IP]/[0000 or 1111]/[0-9]{4}/[0-9]{4}/[base64 data] Template: [domain]/[dir]/[0-9]{4}/[0-9]{4}/[base64 data]\r\nLet’s move on to string obfuscation in Albaniiutas. We have established that strings are encrypted using the RC4 algorithm.\r\nThe encryption key used is L!Q@W#E$R%T^Y\u0026U*A|}t~k.\r\nThe same encryption key was used in the BlueTraveller server component which stores the log files in the encrypted form:\r\nThe conclusion is clear: Albaniiutas is nothing but a logic continuation of the malware belonging to the BlueTraveller\r\nfamily.\r\nAnd then it dawned on us…\r\nWe thought that we had analyzed everything and that we were done with comparisons, when suddenly a sample was\r\nuploaded to VirusTotal. We identified it as Webdav-O.\r\nName y_dll.dll\r\nSHA1 3ff73686244ca128103e86d8c5aa024e37e7b86d\r\nCompilation timestamp 2018-12-06 11:15:35\r\nFirst Submission 2021-06-05 04:41:00\r\nDll Name y_dll.dll\r\nExport function ServiceMain\r\nThe file “y_dll.dll” is an x64 dynamic link library (DLL) that functions as a service in the system.\r\nhttps://blog.group-ib.com/task\r\nPage 15 of 23\n\nAs can be seen, this version of Webdav-O was written for a system with a different bitness and compiled later than our\r\nsample of Webdav-O x86 (2018-12 and 2018-07, respectively).\r\nThe legitimate cloud service Yandex.Disk (webdav.yandex.ru:443) is also used as a network infrastructure, in particular C2.\r\nNetwork interaction with the cloud is carried out via a Webdav protocol.\r\nHowever, this sample supports two authentication methods instead of one in Webdav-O x86: Basic (with a username and\r\npassword) and OAuth (using a token).\r\nThe strings and configuration data are encrypted using the RC4 algorithm with the following key: { C3 02 03 04 05 DD EE\r\n08 09 10 11 12 1F D2 15 16 }. The key size is 16 bytes. The analyzed file can work with 1-7 accounts (it works with only\r\none in this case).\r\nThis sample seemed even more similar to the one described in the SOLAR JSOC and NCIRCC report: unlike our sample, it\r\nhas the “-sleepuntil” function.\r\nUnfortunately colleagues at SOLAR JSOC and NCIRCC did not provide any indicators of compromise, so we can only\r\nmake comparisons based on screenshots and descriptions of the capabilities of their sample.\r\nWebdav-O sample from the report\r\nWebdav-O x64 sample\r\nhttps://blog.group-ib.com/task\r\nPage 16 of 23\n\nWebdav-O sample from the report\r\nWebdav-O x64 sample (processing the -sleepuntil command)\r\nThe parts of code presented above show that both versions look identical. Group-IB experts also noticed that in Webdav-O\r\nx64, the commands and their results are transferred by uploading various files to Yandex.Disk:\r\nDescription of files created by Webdav-O from the report:\r\ntest2.txt, test3.txt. are files used to check the connection\r\ntest4.txt contains information about the interval (minutes) between command requests to the server\r\ntest5.txt contains the launch date for the malware\r\ntest7.txt is uploaded to the server and contains a 16-byte RC4 key that is used to encrypt commands and their results\r\n(the\r\nkey is also encrypted with a public RSA key)\r\ntest is a directory containing files that are downloaded, decrypted, and processed as commands. Malware receives the\r\nfile list via the PROPFIND request and by parsing the necessary tags: \u003cd:href\u003ecomplete path to file\u003c/d:href\u003e.\r\nDescription of the files created by Webdav-O x64:\r\nFile/\r\nDirectory\r\nDescription\r\ntest2.txt,\r\ntest3.txt\r\nUsed to verify the connection. Example of “test2.txt” content: “Just A Test!”\r\ntest4.txt Contains the waiting interval (in minutes) between command requests. Example of “test4.txt” content: 15\r\ntest5.txt\r\nContains the date and time until which the malware will be in sleep mode. Format: %d-%d-\r\n%d_%d:%d:%d, example of file “test5.txt” content: 2021-03-02_14:30:00\r\ntest6.txt Contains an OAuth token. The content is encrypted using the RC4 algorithm with the following key: {\r\n8A 4F 01 47 34 C9 75 F8 2B C8 C1 E9 D2 F3 A5 8B } (16 bytes). It is noteworthy that this key has\r\nhttps://blog.group-ib.com/task\r\nPage 17 of 23\n\nFile/\r\nDirectory\r\nDescription\r\nalready been used by another sample of our Webdav-O x86 to encrypt strings and configuration data.\r\ntest7.txt\r\nIt is loaded onto the server and contains a RC4 session key (16 bytes), which is used to encrypt\r\ncommands and their results (the key itself is encrypted with a public RSA key). RC4 session keys are\r\ngenerated using the BCryptGenRandom function: BCryptGenRandom(0i64, rc4_key_session, 16u,\r\nBCRYPT_USE_SYSTEM_PREFERRED_RNG)\r\n/test\r\nContains files that are downloaded, decrypted, and processed as commands. File name format: “/test/[0-\r\n9]{1,4}[0-9]{1,4}.bin”\r\n/test2\r\nContains files (results of executed commands), which are encrypted and uploaded to Yandex.Disk. File\r\nname format: “/test2/[0-9]{1,4}[0-9]{1,4}.bin”\r\nThe data presented above shows that this part is also identical except for the description of test6.txt, which is not presented\r\nin the SOLAR JSOC and NCIRCC report.\r\nBased on the comparisons above, Group-IB experts have concluded that this particular Webdav-O sample was most likely\r\nused in attacks on Russian federal executive authorities in 2020 and it is the same Trojan as the one described in the SOLAR\r\nJSOC and NCIRCC report.\r\nTo sum up…\r\n人心齐，泰山移 [rén xīn qí, tài shān yí] Verbatim translation: United, people can move even Mount Taishan.\r\nDefinition: By working together people can accomplish anything.\r\nVenn diagram showing the common points between the two Trojans (Only data presented in the blog is used in the diagram)\r\nWebdav-O malware is a version of the BlueTraveller (RemShell) Trojan, which is classified as a Chinese APT.\r\nWebdav-O was designed for both x86 and x64 systems.\r\nhttps://blog.group-ib.com/task\r\nPage 18 of 23\n\nWebdav-O may have been used by the Chinese APT TaskMasters (aka BlueTraveller). Based on the information\r\nabout attacks on various federal executive authorities in 2020, presented in the SOLAR JSOC and NCIRC report, it is\r\npossible that in some cases the Chinese APT TA428 was behind the attacks, while others could have been performed\r\nby TaskMasters.\r\nResearchers from SentinelLabs have linked Mail-O to Smanager and Tmanger (tools used by TA428). Group-IB\r\nspecialists found common code parts in the malware’s exported functions “Entery” and “ServiceMain”. We can say\r\nwith moderate confidence that Mail-O was developed by TA428.\r\nBased on research done by NTT Security, it can be said that TA428 has already used the malware Albaniiutas. Group-IB experts have shown that the Trojan is a new version of BlueTraveller (RemShell). As such, it can be assumed that\r\nWebdav-O is also linked to TA428.\r\nIt is noteworthy that Chinese hacker groups actively exchange tools and infrastructure, but perhaps it is just the case\r\nhere.\r\nThere is also strong evidence that points to one large hacker group consisting of several intelligence units of the\r\nPeople’s Liberation Army of China. For example, unit 61398 from Shanghai is responsible for the actions of a well-known group called APT1 (aka Comment Crew), and unit 61419 from Qingdao has been linked to Tick. Each unit\r\nattacks to the fullest, according to a strict timeline and order. This means that one Trojan can be configured and\r\nmodified by hackers from different departments with different levels of training and with various objectives.\r\nIoCs\r\nIn Yandex.Disk cloud storage\r\narrow_drop_down\r\n“/test”\r\n“/test2”\r\n“/test[2-7]{1}.txt”\r\n“/test/[0-9]{1,4}[0-9]{1,4}.bin\r\n“/test2/[0-9]{1,4}[0-9]{1,4}.bin”\r\n“[0-9]{1,4}[0-9]{1,4}.bin”\r\nhttps://blog.group-ib.com/task\r\nPage 19 of 23\n\nOn the host\r\narrow_drop_down\r\nWebdav-O is launched as a service in system\r\nSuspicious network interaction with Yandex.Disk cloud storage\r\nEmail\r\narrow_drop_down\r\ntstrobos@yandex[.]ru\r\naleshaadams@yandex[.]ru\r\nNetwork indicators\r\narrow_drop_down\r\ngo.vegispaceshop[.]org\r\n209.250.239[.]96\r\nHash\r\narrow_drop_down\r\n1.dll — Webdav-O RAT x86\r\nMD5 664fb7cda349da4d36afa7a15f7f14f5\r\nSHA1 c9e03855f738e360d24018e2d203142c7ae6c2ec\r\nSHA256 7874c9ab2828bc3bf920e8cdee027e745ff059237c61b7276bbba5311147ebb6\r\ny_dll.dll — Webdav-O RAT x64\r\nMD5 5155c03a2064d80cef6a86a84d67c1b4\r\nSHA-1 3ff73686244ca128103e86d8c5aa024e37e7b86d\r\nSHA-256 849e6ed87188de6dc9f2ef37e7c446806057677c6e05a367abbd649784abdf77\r\nnetui4.dll — BlueTraveller RAT\r\nMD5 aa9771e98f25db395c7d9f5beb9e5421\r\nSHA1 6857bb2c3ae5f9c2393d9f88816be7a10cb5573f\r\nSHA256 95ac5cc14f114461df8469331171863e8d8c1981761cf16c68d513e34a46103d\r\n1.exe — BlueTraveller service install tool\r\nMD5 ceb80ceffc82f10acdbe9841e4588eb2\r\nSHA-1 6303cce6747703e81a5a52dec11a3ba7db26ea4b\r\nSHA-256 1457ce3a4f2f4b41a345cf06abd7c7af0d14a3ceaf61e3ff863a787cee43b48a\r\nvjsc.dll — Albaniiutas service install module\r\nMD5 101b7762ef536cf77f04e07115231b53\r\nSHA-1 2fe6af7ce84cb96ae640bb6ed25a7ba67591a11e\r\nSHA-256 2629cae63cecc23bd30731e3a7e44fdabee75a1aaec14b3d7f56ac1674ad9c11\r\nfile — Albaniiutas RAT fileless module (DLL)\r\nMD5 f481172e59491117ac5dbe2ade267b1f\r\nSHA-1 08645d079abe05b88201db0ff1c9b1ec035035ca\r\nSHA-256 fd43fa2e70bcc3b602363667560494229287bf4716638477889ae3f816efc705\r\nfile — Albaniiutas dropper stage 0\r\nMD5 fb82e5a2f9f25ac53f3f4c8b8e33ffdd\r\nSHA-1 a55260aa75e7f28ad6644f916fe11c6bd2a93ba2\r\nSHA-256 83b619f65d49afbb76c849c3f5315dbcb4d2c7f4ddf89ac93c26977e85105f32\r\ncssrs.exe — Albaniiutas dropper stage 1\r\nMD5 9fb74044c1935298a7c00b74fa192baf\r\nSHA-1 aa046d7b6d37070ea7a65d13ddf0f3bd8668a723\r\nhttps://blog.group-ib.com/task\r\nPage 20 of 23\n\nSHA-256 2a3c8dabdee7393094d72ce26ccbce34bff924a1be801f745d184a33119eeda4\r\ncssrs.exe — Albaniiutas dropper stage 1\r\nMD5 32060465223315a1da24c0fb4a6e51f5\r\nSHA-1 c89896264a633fd7a036042d3202c6b9503d11cb\r\nSHA-256 71750c58eee35107db1a8e4d583f3b1a918dbffbd42a6c870b100a98fd0342e0\r\nutas.xlsx.exe — Albaniiutas dropper stage 0\r\nMD5 4814f81f3b174c52e920e6ddd57d8da6\r\nSHA-1 bfa38cb5097bba6a8ae555d6dce3c5446db8099a\r\nSHA-256 690bf6b83cecbf0ac5c5f4939a9283f194b1a8815a62531a000f3020fee2ec42\r\nYARA rule\r\nimport \"pe\"\r\nrule webdavo_rat\r\n{\r\n meta:\r\n author = \"Dmitry Kupin\"\r\n company = \"Group-IB\"\r\n family = \"webdavo.rat\"\r\n description = \"Suspected Webdav-O RAT (YaDisk)\"\r\n sample = \"7874c9ab2828bc3bf920e8cdee027e745ff059237c61b7276bbba5311147ebb6\" // x86\r\n sample = \"849e6ed87188de6dc9f2ef37e7c446806057677c6e05a367abbd649784abdf77\" // x64\r\nhttps://blog.group-ib.com/task\r\nPage 21 of 23\n\nseverity = 9\r\n date = \"2021-06-10\"\r\n strings:\r\n $rc4_key_0 = { 8A 4F 01 47 34 C9 75 F8 2B C8 C1 E9 D2 F3 A5 8B }\r\n $rc4_key_1 = { C3 02 03 04 05 DD EE 08 09 10 11 12 1F D2 15 16 }\r\n $s0 = \"y_dll.dll\" fullword ascii\r\n $s1 = \"test3.txt\" fullword ascii\r\n $s2 = \"DELETE\" fullword wide\r\n $s3 = \"PROPFIND\" fullword wide\r\n condition:\r\n (any of ($rc4_key*) or 3 of ($s*)) or\r\n (\r\n pe.imphash() == \"43021febc8494d66a8bc60d0fa953473\" or\r\n pe.imphash() == \"68320a454321f215a3b6fcd7d585626b\"\r\n )\r\n}\r\nrule albaniiutas_dropper_exe\r\n{\r\n meta:\r\n author = \"Dmitry Kupin\"\r\n company = \"Group-IB\"\r\n family = \"albaniiutas.dropper\"\r\n description = \"Suspected Albaniiutas dropper\"\r\n sample = \"2a3c8dabdee7393094d72ce26ccbce34bff924a1be801f745d184a33119eeda4\" // csrss.exe dropped from 83b6\r\n sample = \"71750c58eee35107db1a8e4d583f3b1a918dbffbd42a6c870b100a98fd0342e0\" // csrss.exe dropped from 690b\r\n sample = \"83b619f65d49afbb76c849c3f5315dbcb4d2c7f4ddf89ac93c26977e85105f32\" // dropper_stage_0 with decoy\r\n sample = \"690bf6b83cecbf0ac5c5f4939a9283f194b1a8815a62531a000f3020fee2ec42\" // dropper_stage_0 with decoy\r\n severity = 9\r\n date = \"2021-07-06\"\r\n strings:\r\n $eventname = /[0-9A-F]{8}-[0-9A-F]{4}-4551-8F84-08E738AEC[0-9A-F]{3}/ fullword ascii wide\r\n $rc4_key = { 00 4C 21 51 40 57 23 45 24 52 25 54 5E 59 26 55 2A 41 7C 7D 74 7E 6B 00 } // L!Q@W#E$R%T^Y\u0026U*\r\n $aes256_str_seed = { 00 65 34 65 35 32 37 36 63 30 30 30 30 31 66 66 35 00 } // e4e5276c00001ff5\r\n $s0 = \"Release Entery Error\" fullword ascii\r\n $s1 = \"FileVJCr error\" fullword ascii\r\n $s2 = \"wchWSMhostr error\" fullword ascii\r\n $s3 = \"zlib err0r\" fullword ascii\r\n $s4 = \"De err0r\" fullword ascii\r\n $s5 = \"CreateFileW_CH error!\" fullword ascii\r\n $s6 = \"GetConfigOffset error!\" fullword ascii\r\n condition:\r\n 5 of them or\r\n (\r\n pe.imphash() == \"222e118fa8c0eafeef102e49953507b9\" or\r\n pe.imphash() == \"7210d5941678578c0a31adb5c361254d\" or\r\n pe.imphash() == \"41e9907a6c468b4118e968a01461a45b\"\r\n )\r\n}\r\nrule albaniiutas_rat_dll\r\n{\r\n meta:\r\n author = \"Dmitry Kupin\"\r\n company = \"Group-IB\"\r\n family = \"albaniiutas.rat\"\r\n description = \"Suspected Albaniiutas RAT (fileless)\"\r\n sample = \"fd43fa2e70bcc3b602363667560494229287bf4716638477889ae3f816efc705\" // dumped\r\n severity = 9\r\n date = \"2021-07-06\"\r\n strings:\r\n $rc4_key = { 00 4C 21 51 40 57 23 45 24 52 25 54 5E 59 26 55 2A 41 7C 7D 74 7E 6B 00 } // L!Q@W#E$R%T^Y\u0026U*\r\n $aes256_str_seed = { 00 30 33 30 34 32 37 36 63 66 34 66 33 31 33 34 35 00 } // 0304276cf4f31345\r\nhttps://blog.group-ib.com/task\r\nPage 22 of 23\n\n$s0 = \"http://%s/%s/%s/\" fullword ascii\r\n $s1 = \"%s%04d/%s\" fullword ascii\r\n $s2 = \"GetRemoteFileData error!\" fullword ascii\r\n $s3 = \"ReadInjectFile error!\" fullword ascii\r\n $s4 = \"%02d%02d\" fullword ascii\r\n $s5 = \"ReadInject succeed!\" fullword ascii\r\n $s6 = \"/index.htm\" fullword ascii\r\n $s7 = \"commandstr\" fullword ascii\r\n $s8 = \"ClientX.dll\" fullword ascii\r\n $s9 = \"GetPluginObject\" fullword ascii\r\n $s10 = \"D4444 0k!\" fullword ascii\r\n $s11 = \"D5555 E00r!\" fullword ascii\r\n $s12 = \"U4444 0k!\" fullword ascii\r\n $s13 = \"U5555 E00r!\" fullword ascii\r\n condition:\r\n 5 of them\r\n}\r\nReferences\r\narrow_drop_down\r\nSource: https://blog.group-ib.com/task\r\nhttps://blog.group-ib.com/task\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.group-ib.com/task"
	],
	"report_names": [
		"task"
	],
	"threat_actors": [],
	"ts_created_at": 1777605008,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53e29acc2d43c953867b5f1146a3c2fd88a29621.pdf",
		"text": "https://archive.orkl.eu/53e29acc2d43c953867b5f1146a3c2fd88a29621.txt",
		"img": "https://archive.orkl.eu/53e29acc2d43c953867b5f1146a3c2fd88a29621.jpg"
	}
}