Thursday, April 18, 2024

Operation Wocao – China’s Hidden Hackers Group Using Custom Hacking Tools to Attack More Than 10 High Profile Countries

Operation Wocao – New hidden Chinese threat groups are known as APT20 targeting various private, and government networks using custom hacking tools and various tactics and techniques.

Threat groups likely support the Chinese government to gather sensitive data from other governments for espionage purposes.

Researchers observed that the threat groups targeted at least 10 high profile countries government networks, managed service provides, Energy, Health Care and High-Tech.

Attackers mostly using a legitimate channel such as to infiltrate the targeted network, and also they are capable of abusing the 2FA soft tokens and plant the backdoor.

They intrude into the network via compromised employee’s credentials with admin privilege access which they have directly retrieved from the password managers.

Also the group skilled enough to carefully destroy the file system based forensic traces of their activities and make it harder for investigators to determine the incident.

Process of Attack, the main goal of the actors is to exfiltrate the sensitive data maintaining the persistence of access and jumping to additional targets.

APT20 using a variety of following hacking tools for their malicious operation in Operation Wocao.

  • File upload webshell
  • File upload and command execution web shell
  • Socket tunnel
  • Reconnaissance script
  • XServer
  • Agent
  • Directory list tool
  • Process launcher
  • CheckAdmin
  • OS scanner
  • Keylogger

Operation Wocao – Process of Stealing Data

Threat actors initially intrude into victims’ networks by exploiting the vulnerable web server by utilizing the web shell that placed by other threat actors for reconnaissance purposes.

Later they are the implant their own webshell to the targeted web server to maintain the access even if the credentials for VPN accounts were to be reset.

In further movement, an attacker using a well-documented method such as dumping credentials from memory and accessing password managers on compromised systems to move into the network.

Attackers specifically targeting the people based on their role and associated privilege levels within the organization, which helps them to obtain access to highly privileged accounts such as an enterprise-level administrator.

According to Fox-it report “Once such privileges have been obtained, the actor directly shifts their means of persistence. Instead of having to rely on their persistent malicious backdoors as command and control channel – a channel that’s essentially not supposed to be there and subject to discovery by the victim – the actor uses the stolen credentials to connect to the victim’s network using the corporate VPN solution.”

The attacker also abusing the 2FA using novel techniques,s and they break the 2FA protection using simple credential theft.

“Once the attackers completely gain network access, uses a mix of (custom developed) backdoors and open source tools to connect to and through compromised systems.”

Before that attackers sometimes utilize a custom reconnaissance script. This script collects, among other things, installed software, running processes and open connections.

Finally, attackers identifying and collecting information and data on the system and compress all the files using WinRAR and download the files using the backdoor functionality.

In the end, they completely remove all created executables and files and then close the implanted backdoor.

You can read the complete whitepaper here.


Latest articles

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a...

Cerber Linux Ransomware Exploits Atlassian Servers to Take Full Control

Security researchers at Cado Security Labs have uncovered a new variant of the Cerber...

FGVulDet – New Vulnerability Detector to Analyze Source Code

Detecting source code vulnerabilities aims to protect software systems from attacks by identifying inherent...

North Korean Hackers Abuse DMARC To Legitimize Their Emails

DMARC is targeted by hackers as this serves to act as a preventative measure...

L00KUPRU Ransomware Attackers discovered in the wild

A new variant of the Xorist ransomware, dubbed L00KUPRU, has been discovered in the...

Oracle Releases Biggest Security Update in 2024 – 372 Vulnerabilities Are Fixed – Update Now!

Oracle has released its April 2024 Critical Patch Update (CPU), addressing 372 security vulnerabilities...

Outlook Login Panel Themed Phishing Attack Evaded All Antivirus Detections

Cybersecurity researchers have uncovered a new phishing attack that has bypassed all antivirus detections.The...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles