A Chinese-speaking threat actor was found exploiting vulnerabilities in South Korean, Chinese, Thai, Taiwanese, and Iranian organizations, where the actor utilized scanning tools like WebLogicScan, Vulmap, and Xray to identify targets.
The Viper C2 framework, Cobalt Strike with TaoWu and Ladon extensions, and the Leaked LockBit 3 builder were employed to deploy malware and encrypt systems.
A custom ransom note referencing a Telegram group was included in the LockBit payload, indicating potential for coordinated attacks and data extortion.
The attacker used a multi-pronged approach to find vulnerabilities on target systems by leveraging WebLogicScan, a Python script, to identify weaknesses in WebLogic servers, likely feeding the script target lists through text files, and also employed vulmap.py, another tool focused on WebLogic vulnerabilities.
Finally, they broadened their scope with Xray, a vulnerability scanner, targeting two specific Chinese websites, and to unearth hidden directories on targets, they utilized dirsearch, leaving behind evidence of a past scan.
The threat actor utilized SQL injection techniques through SQLmap to compromise multiple websites, including a pharmaceutical organization in South Korea, by exploiting vulnerabilities in Zhiyuan OA software using Seeyon_exp to upload JSPX web shells.
They also employed Weaver to scan for and exploit vulnerabilities in Zhiyuan OA instances by leveraging Cobalt Strike for command and control, utilizing various modules like TaoWu and Landon to extend its capabilities.
The attacker’s arsenal included a wide range of tools for privilege escalation, lateral movement, and data exfiltration, demonstrating a sophisticated level of threat.
By using Cobalt Strike’s Ladon plugin to automate post-exploitation activities, they gained initial access to a Bitnami WordPress app on an AWS host, likely through a WPCargo exploit (CVE-2021-25003), and then deployed the Viper C2 framework, reusing the Cobalt Strike server password.
Abusing Viper’s MSF Web Delivery API, they uploaded and executed a payload on the compromised WordPress host, as analysis of a Redis dump confirms successful execution.
An attacker gained access to a system and used a Docker container exploit to escalate privileges and then uploaded a tool called Traitor, which allowed them to further escalate privileges to root.
The attacker then deployed LockBit ransomware on the system by scanning for targets in China, South Korea, Iran, Thailand, and Taiwan and targeted government, education, health, and logistics industries by using multiple proxy servers to hide their location.
An analysis by the DFIR Report of the ransom note and threat actor communication suggests a Chinese-speaking group, likely called “You_Dun” based on their Telegram channel (since deleted), engages in malicious activities like defacements, data leaks, and potentially DDoS attacks.
Evidence points to the group leader using the alias “EVA” with Telegram ID 6392878812, as the group also maintains related channels “You_Dun888” and “juxingchuhai,” where they advertise services and share proofs of compromise under the name “Dark Cloud Shield.”