探索中国DDoS威胁态势（英文版）.pdf

1 EXPLORING THE CHINESE DDOS THREAT LANDSCAPE A research report by Intezer ABSTRACT Chinese threat actors have shown to be predominant in the DDoS ecosystem, there being a high volume of known cross-platform DDoS botnets with alleged Chinese origin operating in Linux as well as Windows systems, and exercising long-term activities over the years. In this paper, we will begin with a brief overview of the current, most predominant Chinese threat groups, ChinaZ and Nitol, along with some other subgroups. We will cover their motivations, some of their malware characteristics, and how long they have been operational along with an overview of each groups background. Furthermore, we will cover a range of code and artifact similarities between the groups and give our own interpretation of such connections. We will also discuss how Chinese threat groups may seem to be sharing code, showing different cases of code similarities between different families, and a case study involving a specific Gh0stRAT variant found in the wild that has been seen in several Chinese threat actor campaigns, including some involving an APT. Finally, we will summarize our findings and suggest future points of investigation. INTRODUCTION In recent years, there has been a significant rise in DDoS attacks, a large proportion of which have alleged Chinese origins. Furthermore, China has emerged as having one of the highest ratesofDDoSattacks 1. An example of these attacks is one that targeted GitHub in February 2018 2thatwaslinked to a campaign against the anti-censorship project GreatFire 3, forcing the website togooffline for approximately 10 minutes. Another example is the attack against Telegram on 12 June 2019 that was linked to Hong Kong protests 4 against changes in extradition bills. This series of events shows that a high volume of DDoS operations originate in China. In addition, there is a highly populated and growing community of DDoS threat actors with alleged Chinese origin that have recorded long-term activities. The Chinese DDoS threat landscape has been found to be complicated in terms of classification, leading to misinterpretations for example, classifying groups to later find out that specific groups are composed of several subgroups and vice versa, leading the community to use different names to reference, in essence, the same group. The hierarchy of these groups is not clearly known, nor is it known whether they are part of the same collective. We will be breaking apart some of the most well-known Chinese DDoS groups, revealing bonds that might correlate some of these groups and that might potentially uncover some further leads on how this community operates. 2 2. NOTORIOUS CHINESE DDOS THREAT ACTORS Among the vast number of Chinese DDoS groups, we highlight two groups which will be the main protagonists of this paper: ChinaZ and Nitol. 2.1 ChinaZ ChinaZ is an alleged Chinese threat group first reported by MalwareMustDie in November 2014 5. This threat group was discovered operating several multi-platform DDoS botnets targeting Linux and Windows systems. It is important to mention that this group has deployed what currently may be some of the most predominant DDoS botnets targeting Linux systems, having developed Linux. Elknot along with its predecessor Linux.BillGates. This group is known to have been in operation since late 2013 and has the ability to deploy several different DDoS attack methodologies. In 2014, Avast researchers Peter Klnai and Jaromr Horej presented an extensive research study on ChinaZs cross-platform DDoS tools 6. Furthermore, in 2016, researchers Ya Liu and Hui Wang from Qihoo 360 presented their findings regarding BillGates 7, in which they explained the several DDoS attacks that the group had conducted, in particular two attacks deployed against 12 root name servers in 2015 8. 2.1.1 ChinaZ deployed DDoS botnets Apart from the Elknot and BillGates DDoS botnets, ChinaZ is known to have developed many others. Figure 1 shows a timeline of some of the malware believed to be linked to ChinaZ. Figure 1: ChinaZ malware timeline. We can see that this group started developing DDoS botnets as early as the end of 2013 with the development of Elknot/DNSAmp. 2014 to 2015 was the period in which the greatest volume of malware was developed by this group, implementing seven new DDoS bot strains: BillGates, AESDDoS, IptableX, XorDDoS, MrBlack, DDoSClient and ChinaZ.DDoS. From 2016 to 2018 this group seems to not have been very active, with the number of new malware strains dropping considerably. In 2019, a new DDoS bot malware with connections to Elknot was discovered, known as ChaChaBot.The common victims of this group have been small to medium-sized local businesses, online gaming sites, e-commerce shops and forums.Monetization has been achieved by deploying DDoS attacks as a service and demanding a ransom to stop the specified attacks.3 An interesting fact about the progression of this threat actor group, based on claims made by MalwareMustDie, is that at some point ChinaZ recruited students to develop some of its malware. This was the case with DDoSClient. Furthermore, some of these families have been seen being served together in HTTP file servers (also commonly known as HFS), which is the general way these Chinese malware families have been seen hosted. Figures 24 show some different ChinaZ malware families being hosted together. Figure 2: BillGates and Iptables (source: MalwareMustDie). Figure 3: MrBlack and ChinaZ (source: MalwareMustDie). Figure 4: DDoSClient and BillGates (source: Intezer). 4 In addition, all of these different families share a common code base. We can easily spot this by plotting a graph based on code-reuse connections with an already classified corpus of 34x86 binaries belonging to the different ChinaZ families against our ELF corpus database composed of hundreds of thousands of classified ELF binaries in which 80% are x86 files. This code reuse analysis is based on genetic analysis meaning that the code comparison is based on small, already classified fragments of code, excluding common code fragments such as code seen in libraries and other irrelevant pieces of code. The results are shown in Figure 5. We can differentiate between two different clusters, mainly by dividing all families discovered from 2014 to 2016 in one cluster and ChaChaBot, which was discovered during 2018, in the other cluster. Each node in the graph represents a different file and the edges represent code connections based on genetic analysis. The color of each node represents the weight of genes for that specific file, and each color represents the weight of each connection in terms of genes, where darker colors represent a higher weight and lighter colors denote a lower weight of connections. Furthermore, these two clusters demonstrate that the presented Chinese DDoS malware families do share a substantial amount of code. Figure 5: ChinaZ code reuse. 5 ChaChaBot allegedly ported code from Elknot, although this common shared code base seems to be significantly different from the original Elknot code, which may imply that it was highly modified. This theory does make sense, considering that there is a four-year gap between Elknot and the ChaChaBot family, so it is feasible that ChaChaBot has integrated some modified Elknot code.By analyzingsome of the ChaChaBot binaries, we observed that some of the functions that had been reused from Elknot had the same names as previously seen in Elknotsamples, including source code file names (Figure 6).Figure 6: Some of the functions reused from Elknot in ChaChaBot samples had the same names as previously seen in Elknot samples. We decided to apply a string-reuse analysis on the same test group. The results are shown in Figure 7. 6 Figure 7: ChinaZ string reuse. The graph shown in Figure 7 is a string reuse graph with the same test group. Color schemes for nodes and edges follow the same convention as previously discussed. The graph shows that all of the different samples, including ChaChaBot samples, reuse a substantial number of strings, reinforcing the theory that ChaChaBot adapted some Elknot code, despite there being no direct code-reuse connection. In addition, we have millions of classified strings. In contrast with code reuse, the match is cross-platform and architecture-agnostic, meaning that we can find strings shared between tools from different operating systems and different architectures. It has been speculated that this group has been sharing code through Chinese forums, which could have also been a source of monetization and could explain how families with modified code bases, such as ChaChaBot, have emerged. 2.2 Nitol Nitol is a DDoS botnet that targeted mainly Windows systems and that was first discovered around August 2011 9. Infections from this botnet were most prevalent in China. Microsoft researchers in China initially discovered Nitol while investigating the sale of computers loaded with counterfeit copies of the Windows operating system. It was discovered that most of the Nitol infected endpoints were brand new from the factory, implying that the malware was potentially installed somewhere during the assembly and manufacturing process, and all infected endpoints also had a counterfeit version of the Windows operating system. On 10 September 2012 10 Microsoft took legal action against the Nitol botnet, obtaining a court order to sinkhole one of Nitols predominant domains for C&C communication, hosted under 3322 11. 7 2.2.1 Nitol artifacts and modus operandi Nitols main outstanding characteristic was that it was developed mainly to spread via removable media and mapped network shares. The main Nitol binary comes in the form of a DLL named lpk.dll. The genuine lpk DLL is part of the Microsoft Language Pack and, by default, this DLL is loaded by every process, much like kernel32.dll. Nitol copies itself in multiple directories and attempts to exploit the module loading process used by Windows. This technique is commonly known as search order hijacking the malware loads itself into a given process virtual address space, taking precedence over the genuine target library desired to hijack, in this case lpk.dll located at System32. This technique is illustrated in Figure 8. Figure 8: Nitol DLL hijacking. The main lpk.dll Nitol library will drop several other samples with different functionalities. The most common implant seen dropped by Nitol is a piece of malware known as ServStart. Figure 9 is a FireEye description 12 of this malware. Figure 9: FireEyes description of ServStart. We at Intezer also came across ServStart being dropped by Nitol 13. SERVSTART (aka Nitol) is a Trojan that installs either as a binary executable or a dynamic link library and registers itself as a service. That service enables a remote user to connect to a remote server, download and run or install other malicious les, stop or restart the system, and perform distributed denial of service activities. The malware is capable of communication via TCP or UDP connections and it installs itself with a mutex to ensure a single copy of the software is installed. It is also capable of updating or uninstalling itself from a system. 8 Figure 10: ServStart being dropped by Nitol 13. Nowadays, lpk.dll infection is not commonly seen, although ServStart is a very common piece of malware seen in the wild. 3. CHINAZ AND NITOL CORRELATIONS In this section, we will detail an investigation we conducted at Intezer while tracking some ChinaZ servers, in which we found connections between ChinaZ and Nitol. 3.1 ChinaZ attacks discovered via honeypots We at Intezer have several deployed honeypots and we monitor various malware behaviors through them. We came across an interesting intrusion conducted via SSH/Telnet credential brute-forcing. Figure 11 is the log of the intrusion session in one of our honeypots. The downloader bash script seems to be fairly simple in logic, changing directories from /root to /tmp once it detected that the dropped implant could not be executed, after several attempts at changing its file permissions. Once we accessed where the script was trying to download its corresponding files, we found the files being hosted in a Chinese HTTP File Server (HFS) panel. Figure 12 is a screenshot of this panel. 3.2 Analysis of ChinaZ artifacts As previously mentioned, ChinaZ is known to use Chinese HFS instances, and unlike other major DDoS botnets such as Mirai, ChinaZ operates mostly on Windows servers. In this particular HFS server we observed various files. The two Linux prefixed files are both regular BillGates builds. We confirmed this fact based on our code reuse engine, shown in Figure 13.9 Figure 11: Log of the intrusion session in one of our honeypots. Figure 12: ChinaZ panel. 10 Figure 13: BillGates analysis 14, 15. Figure 14: ChinaZ vs. Gh0st RAT source comparison.