Researchers dismantled ShuangQiang gang’s botnet that infected thousands of PCs

A joint operations conducted by experts from Chinese firms Qihoo 360 Netlab and Baidu dismantle the ShuangQiang ‘s botnet infecting over hundreds of thousands of systems.

A joint operation conducted by Chinese security firm Qihoo 360 Netlab and tech giant Baidu disrupted a botnet operated by a group tracked as ShuangQiang (aka Double Gun) that infected over hundreds of thousands of systems.

ShuangQiang is financially motivated, it has been active since 2017 targeting Windows computers with MBR and VBR bootkits, and installing malicious drivers for financial gain and hijack web traffic to e-commerce sites.

“Recently, our DNS data based threat monitoning system DNSmon flagged a suspicious domain pro.csocools.com. The system estimates the scale of infection may well above hundreds of thousands of users. By analyzing the related samples and C2s.” reads the analysis published by the experts.
“We traced its family back to the ShuangQiang(double gun) campaign, in the past, this campaign has been exposed by multiple security vendors, but it has rvivied and come back with new methods and great force.”

Threat actors were distributing configuration files and malware that were hidden using steganography in images uploaded to Baidu Tieba. The hackers also began using Alibaba Cloud storage to host configuration files and Baidu’s analytics platform Tongji as command infrastructure.

The attack chain leverages game launching software from underground game portals that contain malicious code masqueraded as a patch.

Attackers used two methods to infect the victims, one using the game launcher with malicious code, the second releasing and load a malicious driver.

Upon downloading and installing the alleged patch from an underground game server, the victim accesses the configuration information to download another program named “cs.dll” from Baidu Tieba that’s stored as an image file. Then the “cs.dll” creates a bot ID and contacts the C2, then it injects a second driver that hijacks system processes (e.g., lassas.exe and svchost.exe) to download next-stage payloads.

“The drive will copies itself to Windows/system32/driver/{7 random letters}.sys to disguise itself as a legitimate drive, such as fltMgr.sys, and inject DLL module to the system processes Lassas.exeand svchost.exe.” continues the report. “After the entire initialization process is completed, a driver and DLL module work together to complete the work mode through DeviceIoControl () , which is a driver-level downloader. All sensitive configuration information is stored inside the driver.”

In the second attack chain detailed by the researchers, the attackers leverage DLL hijacking to force game client software into loading malicious DLL files using the same name.

Threat actors altered the software using a modified version of photobase.dll, which is used by multiple underground game client software.

Experts from Qihoo 360 Netlab reported their findings to Baidu on May 14 and that launched a jointly operations to block the botnet by tracking all the URLs used by the attackers.

“During this joint action, we had a better understanding on double gun gang’s technical means, logic, and rules, by sharing, analysising, and response to the related threat intelligence.” concludes the report.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – ShuangQiang, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]