Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Chinese Hackers Use ‘Datper’ Trojan in Recent Campaign

A China-linked cyber espionage group known as Tick was observed using the Datper malware in a recent campaign, Cisco Talos security researchers reveal.

A China-linked cyber espionage group known as Tick was observed using the Datper malware in a recent campaign, Cisco Talos security researchers reveal.

Also referred to as Redbaldknight and Bronze Butler, Tick has been launching various cyber-attacks against entities in South Korea and Japan over the past couple of years. The campaign Talos analyzed also used compromised websites located in the two countries as command and control (C&C) servers.

Although Tick has been using custom tools in each campaign, the researchers observed a series of recurring patterns in the use of infrastructure, such as overlaps in hijacked C&C domains or the use of the same IP.

Based on these infrastructure patterns, the experts discovered similarities between the Datper, xxmm backdoor, and Emdivi malware families that the threat actor has used in attacks.

Datper, the malware used in the campaign Talos analyzed, can execute shell commands on the victim machine, while also obtaining hostnames and drive information. The used infection vector, however, is unknown, Talos says.

The analyzed Datper variant used the compromised website of a legitimate Korean laundry service to host their C&C. Located at whitepia[.]co.kr, the site does not use SSL encryption or certificates, which rendered it vulnerable to attacks.

The security researchers observed other compromised websites as well being used as C&C servers as part of the attack. This led to the hypothesis that the malware could be delivered via web-based assaults, such as drive-by downloads or watering hole attacks.

Talos also discovered hosts that were being used as C&C servers although they were not connected to compromised websites. This would suggest that the hackers initially deployed the C&C infrastructure on legitimately obtained (and potentially purchased) hosts.

Advertisement. Scroll to continue reading.

“The actor behind this campaign deployed and managed their C&X infrastructure mainly in South Korea and Japan. We confirmed that the actor periodically changed their C&C infrastructure and appears to have a history of identifying and penetrating vulnerable websites located in these countries,” Talos says.

Once on the infected machine, Datper would create a mutex object and retrieve several pieces of information from the victim machine, including system information and keyboard layout. Next, the malware attempts to issue an HTTP GET request to the C&C server (which was unavailable during investigation).

Some of the compromised websites were also used as C&C domains for the xxmm backdoor, also known as Murim or Wrim, which was previously associated with the threat actor, and which allows attackers to install additional malicious tools onto the infected machines. The two samples also use similar GET request URI paths.

A Datper variant compiled in March 2018 was observed using a legitimate website as C&C, resolving to the same IP used for the C&C infrastructure of the Emdivi malware family. This Trojan opens a backdoor on the compromised machines and was previously attributed to the threat actor behind the campaign “Blue termite.”

“Talos’ investigation into attacks conducted by this actor indicates commonalities between the Datper, xxmm backdoor, and Emdivi malware families. Specifically, these similarities are in the C&C infrastructure of attacks utilizing these malware families. Some C&C domains used in these attacks resolve to hijacked, legitimate South Korean and Japanese hosts and may have been purchased by the attacker,” Talos concludes.

Related: China-linked Hackers Targeting Air-Gapped Systems

Related: “Tick” Cyber Espionage Group Employs Steganography

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.