30 C
Jaipur
Friday, October 30, 2020

Operation Wocao – China’s Hackers Group Using Custom Hacking Tools

Must read

Intel Reveals Details on the 11th-gen Rocket Lake Desktop Processors

Earlier this year, Intel unveiled its 11th-gen line-up of laptop processors complete with a new Intel logo and other changes. Today, the company is...

How to Сo-edit Documents Without Uploading Them In The Cloud

Cloud solutions achieved a powerful boost in 2020 because of the COVID-19 pandemic. Sure, if you work remotely, there are no better tools than...

Xiaomi Trumps Apple to Become the Third Best Smartphone Maker Globally

The third quarter saw the smartphone market recover after taking massive hits due to the COVID-19 pandemic earlier this year. Samsung again came out...

Call Of Duty Warzone Mobile Might Become A Reality, Confirms Activision

A while back, Activision put out a job listing with its description saying “WZM,” which clearly meant Warzone Mobile. Ever since then, Call of...

Operation Wocao – New hidden Chinese threat groups are known as APT20 targeting various private, and government networks using custom hacking tools and various tactics and techniques.

Threat groups likely support the Chinese government to gather sensitive data from other governments for espionage purposes.

Researchers observed that the threat groups targeted at least 10 high profile countries government networks, managed service provides, Energy, Health Care and High-Tech.

Attackers mostly using a legitimate channel such as to infiltrate the targeted network, and also they are capable of abusing the 2FA soft tokens and plant the backdoor.

They intrude into the network via compromised employee’s credentials with admin privilege access which they have directly retrieved from the password managers.

Also the group skilled enough to carefully destroy the file system based forensic traces of their activities and make it harder for investigators to determine the incident.

Process of Attack, the main goal of the actors is to exfiltrate the sensitive data maintaining the persistence of access and jumping to additional targets.

APT20 using a variety of following hacking tools for their malicious operation in Operation Wocao.

  • File upload webshell
  • File upload and command execution web shell
  • Socket tunnel
  • Reconnaissance script
  • XServer
  • Agent
  • Directory list tool
  • Process launcher
  • CheckAdmin
  • OS scanner
  • Keylogger

Operation Wocao – Process of Stealing Data

Threat actors initially intrude into victims’ networks by exploiting the vulnerable web server by utilizing the web shell that placed by other threat actors for reconnaissance purposes.

Later they are the implant their own webshell to the targeted web server to maintain the access even if the credentials for VPN accounts were to be reset.

In further movement, an attacker using a well-documented method such as dumping credentials from memory and accessing password managers on compromised systems to move into the network.

Attackers specifically targeting the people based on their role and associated privilege levels within the organization, which helps them to obtain access to highly privileged accounts such as an enterprise-level administrator.

According to Fox-it report “Once such privileges have been obtained, the actor directly shifts their means of persistence. Instead of having to rely on their persistent malicious backdoors as command and control channel – a channel that’s essentially not supposed to be there and subject to discovery by the victim – the actor uses the stolen credentials to connect to the victim’s network using the corporate VPN solution.”

The attacker also abusing the 2FA using novel techniques,s and they break the 2FA protection using simple credential theft.

“Once the attackers completely gain network access, uses a mix of (custom developed) backdoors and open source tools to connect to and through compromised systems.”

Before that attackers sometimes utilize a custom reconnaissance script. This script collects, among other things, installed software, running processes and open connections.

Finally, attackers identifying and collecting information and data on the system and compress all the files using WinRAR and download the files using the backdoor functionality.

In the end, they completely remove all created executables and files and then close the implanted backdoor.

You can read the complete whitepaper here.

Source link

- Advertisement -

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

Intel Reveals Details on the 11th-gen Rocket Lake Desktop Processors

Earlier this year, Intel unveiled its 11th-gen line-up of laptop processors complete with a new Intel logo and other changes. Today, the company is...

How to Сo-edit Documents Without Uploading Them In The Cloud

Cloud solutions achieved a powerful boost in 2020 because of the COVID-19 pandemic. Sure, if you work remotely, there are no better tools than...

Xiaomi Trumps Apple to Become the Third Best Smartphone Maker Globally

The third quarter saw the smartphone market recover after taking massive hits due to the COVID-19 pandemic earlier this year. Samsung again came out...

Call Of Duty Warzone Mobile Might Become A Reality, Confirms Activision

A while back, Activision put out a job listing with its description saying “WZM,” which clearly meant Warzone Mobile. Ever since then, Call of...

SmartThings Find Locates Your Lost or Misplaced Galaxy Devices

Samsung has launched SmartThings Find, a new service in SmartThings app to help locate your misplaced or stolen Galaxy devices. The app uses Bluetooth...