Operation Wocao – China’s Hidden Hackers Group Using Custom Hacking Tools to Attack More Than 10 High Profile Countries

Operation Wocao – New hidden Chinese threat groups are known as APT20 targeting various private, and government networks using custom hacking tools and various tactics and techniques.

Threat groups likely support the Chinese government to gather sensitive data from other governments for espionage purposes.

Researchers observed that the threat groups targeted at least 10 high profile countries government networks, managed service provides, Energy, Health Care and High-Tech.

Attackers mostly using a legitimate channel such as to infiltrate the targeted network, and also they are capable of abusing the 2FA soft tokens and plant the backdoor.

They intrude into the network via compromised employee’s credentials with admin privilege access which they have directly retrieved from the password managers.

Also the group skilled enough to carefully destroy the file system based forensic traces of their activities and make it harder for investigators to determine the incident.

Process of Attack, the main goal of the actors is to exfiltrate the sensitive data maintaining the persistence of access and jumping to additional targets.

APT20 using a variety of following hacking tools for their malicious operation in Operation Wocao.

• File upload webshell
• File upload and command execution web shell
• Socket tunnel
• Reconnaissance script
• XServer
• Agent
• Directory list tool
• Process launcher
• CheckAdmin
• OS scanner
• Keylogger

Operation Wocao – Process of Stealing Data

Threat actors initially intrude into victims’ networks by exploiting the vulnerable web server by utilizing the web shell that placed by other threat actors for reconnaissance purposes.

Later they are the implant their own webshell to the targeted web server to maintain the access even if the credentials for VPN accounts were to be reset.

In further movement, an attacker using a well-documented method such as dumping credentials from memory and accessing password managers on compromised systems to move into the network.

Attackers specifically targeting the people based on their role and associated privilege levels within the organization, which helps them to obtain access to highly privileged accounts such as an enterprise-level administrator.

According to Fox-it report “Once such privileges have been obtained, the actor directly shifts their means of persistence. Instead of having to rely on their persistent malicious backdoors as command and control channel – a channel that’s essentially not supposed to be there and subject to discovery by the victim – the actor uses the stolen credentials to connect to the victim’s network using the corporate VPN solution.”

The attacker also abusing the 2FA using novel techniques,s and they break the 2FA protection using simple credential theft.

“Once the attackers completely gain network access, uses a mix of (custom developed) backdoors and open source tools to connect to and through compromised systems.”

Before that attackers sometimes utilize a custom reconnaissance script. This script collects, among other things, installed software, running processes and open connections.

Finally, attackers identifying and collecting information and data on the system and compress all the files using WinRAR and download the files using the backdoor functionality.

In the end, they completely remove all created executables and files and then close the implanted backdoor.

You can read the complete whitepaper here.