A significant development in cybersecurity has emerged as the Chinese firm Qihoo 360 Netlab announced a collaboration with Baidu aimed at dismantling a malware botnet that has compromised hundreds of thousands of systems. The targeted botnet, linked to a group known as ShuangQiang or “Double Gun,” has a history of launching attacks since 2017, primarily focusing on Windows machines. These attacks employ sophisticated techniques such as Master Boot Record (MBR) and Volume Boot Record (VBR) bootkits to install malicious drivers, yielding financial benefits to the attackers while redirecting web traffic to fraudulent e-commerce sites.
Researchers from Qihoo have uncovered that ShuangQiang employs clever methods to disseminate its malicious payloads, notably utilizing steganography by hiding configuration files and malware within images uploaded to Baidu Tieba, a popular Chinese online community. The group has recently diversified its operations by leveraging Alibaba Cloud for hosting these configuration files and integrating Baidu’s analytics platform, Tongji, to track the actions of the infected devices, effectively expanding their operational reach.
The initial vector for compromise appears to be enticing users into downloading game-launching software from dubious online portals, disguised as patches but laden with malicious code. Following the installation of this software, users unwittingly download a separate executable, “cs.dll,” which is served as an embedded image file. This executable establishes a bot identification and communicates with a server controlled by the attackers while injecting another driver designed to commandeer system processes such as “lassas.exe” and “svchost.exe.” The execution of these actions facilitates the download of additional payloads, furthering the group’s objectives.
Moreover, the investigative team outlined an alternate infection chain where legitimate game client software has been modified to include malicious libraries, employing a method known as DLL hijacking. This technique involves loading a corrupt driver before the legitimate module is executed, ultimately deepening the compromise of the affected systems.
In a timely response, Qihoo reached out to Baidu’s security team on May 14, leading to a coordinated effort to mitigate the botnet’s progress by blocking any downloads from associated URLs. This collaborative operation has enhanced visibility into the technical strategies utilized by the Double Gun group, allowing the partners to develop a better strategic understanding.
For business owners concerned about cybersecurity risks, this incident highlights potential adversary tactics that may align with the MITRE ATT&CK framework. The key tactics identified include initial access through misleading software, persistence via the installation of malicious drivers, and privilege escalation through compromised system processes. As the cybersecurity landscape continues to evolve, staying informed about such threats is crucial for safeguarding organizational assets.
In conclusion, this incident serves as a reminder of the complexities and persistent threats present in the digital landscape. The collaboration between Qihoo and Baidu underscores the importance of cooperative efforts in combating cybercrime. Entity-driven threat actors remain a significant concern, and the business community should prioritize robust cybersecurity measures while fostering awareness of evolving tactics and techniques.
