Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


tencent security anti virus laboratory: revealing the latest situation of "hang horse" black production

Posted by deeson at 2020-03-08


Tencent security anti-virus laboratory monitoring found that there have been a large number of "hang horse" attacks in the near future, affecting a wide range of regions, involving 31 provinces across the country.

The ways of communication are divided into "big station advertisement hanging horse" and "self operating website".

In the process of spreading the "self operating Pegasus" attack, domestic and foreign servers are used together to avoid domestic review and "domain name migration notice" is used to induce users to visit overseas servers with virus.

The attack profit model mainly relies on downloading promotion software and stealing game accounts, with high profitability.

According to the online traffic characteristics of Trojans, Tencent security anti-virus laboratory captures a number of family and variant Trojans, and uses these characteristics for continuous tracking mechanism to establish situational awareness to ensure that new threats are found in the first time.

Some time ago, Tencent security anti-virus laboratory analyzed a kind of malicious program spread by the way of web advertisement hanging horse. After the Trojan horse induced the user to click through the pornographic link advertisement, it added a back door to the victim's computer, and at the same time, it would run the program of digital currency mining to make profits.

In fact, through our monitoring, it is found that there is a new development trend in the "hang horse" attack recently carried out through large websites and small websites such as "passion video". Combined with the threat perception data of Tencent's computer Butler and Hubble system, we studied and analyzed the changes of this round of "hang horse" attack in terms of propagation mode, attack target, profit model, etc.

1、 Overall situation

This round of attacks has lasted for about a year, involving 15 payloads, 72 domain names, nearly 10 W users, and 31 provinces in China, of which the top 10 provinces are:

2、 Communication channels

The attack started in July 2016. The peak daily visit volume and infection volume of the horse hanging website are 3.4W and 6.8K respectively. Due to the low use scenarios (such as Internet cafes) with low software killing installation rate, the actual infection volume may far exceed the current 10W PC and Hubble big data prediction. In the most serious case, the infection volume of the Trojan horse can reach 200W.

1. Hanging horses

Common ways to hang horses are:

The invasion of Hang horse is destructive, but it requires the target website to have loopholes, which can be encountered but can not be found, and the survival time will not be too long.

After the invasion of Pegasus, the way of poisoning advertising space is powerful and low in technical cost, but the resources invested are too much.

DNS hijacking normal website poisoning, serious security incidents, not many times.

The new way of hanging horse: "self operation", build its own website, and then carry out its own promotion, which is simpler and more efficient.

2. Analysis on the process of "big station advertisement hanging horse"

Through the way of advertising on large-scale websites, with the help of some websites that do not strictly review the advertisements, Trojan group shows its own poisonous web code to users, and triggers the vulnerability of the user side browser, so as to achieve the purpose of large-scale dissemination.

The affected site types are distributed as follows (small sites that cannot be classified have been excluded):

Cve-2016-0189 is mainly used in this attack. Compared with other vulnerabilities, cve-2016-0189 will not cause host program crash, stable utilization and extremely high efficiency.

Several of the events with large influence range are:

Cve-2014-6332 and cve-2016-0189 are two vulnerabilities. Limited by the patch policy of windows, a large number of PC systems are still under attack. For example, the two large-scale invasive stallions monitored by Hubble situation awareness last year used these two loopholes to spread. At the same time, cve-2016-0189 has significantly improved its spread since the fourth quarter of 2016.

The operating system and IE version distribution affected by the vulnerability caught this time:

3. Process analysis of "self operation and horse hanging"

There are 64 domain names involved in the communication process. It is found that the communication domain names can be divided into two categories:

Class A, communication domain name, in China, non-toxic content, easy to promote

Class B, domain name of virus content class, located in the United States, with exploit code

Using search engine, you can search a domain name by keyword:

After the user visits, guide the user to access class B domain name by means of "domain name migration reminder".

Class B server is located in the United States, and the vulnerability execution will be triggered after the user accesses it:

In order to increase the amount of infection, the author uses a two pronged approach to spread the virus. Even if there is no vulnerability in the browser, users will be guided to download fake players to spread the virus

Some of the domain name information involved is as follows:

Through the analysis, it can be found that the propagation mode of "hang horse" attack has derived a "self operation" mode with low technical threshold, which is less affected by the external environment, does not rely on other website loopholes, does not rely on advertising channels, and is suitable for large-scale promotion.

3、 Payload analysis

1. The overall implementation process of payload is as follows:


Jmqle.exe and xfplay01.exe are the mother of the whole Trojan group

After startup, the driver "random name. Ex" will be released to penetrate the restore system protection, and userinit will be hijacked to realize self startup

When the environment is ready, userinit.exe will be released to download the address list located at 81 / XX / in10.txt to do evil

There are 15 payloads involved, with the following functions:

Take 5.exe as an example, the Trojan will take the personal page in a famous blog address as the address of C & C server, control the Trojan's behavior by uploading articles, the Trojan will visit the page and get the contents of articles, and then convert it into control command data:

The final data are:

The Trojan will use these configurations to control the victim's browser, redirect the web page that is being paid to the website that the Trojan author built by himself, which is used to intercept the payment data of the victim and steal huge benefits from it.

2. Flow detection

In the process of Trojan attack, the traffic packets of Trojan connecting to C & C server can be captured as follows:

Through sorting out the similar flow, 10 C & CS involved were found

In order to prevent other statistical websites from crawling data, all virus servers use non default HTTP ports, such as 81808, etc

3. The changing law of payload

According to the characteristics of the traffic packets of the C & C server connected by payload, further search and analysis show that there are several works of the author of payload, whose functions are not fundamentally different from the above analysis, but they are not widely spread.

From the perspective of upload time, it is later than the widespread samples, which may be that the author is preparing for the next round of propagation.

4、 Profitability analysis

At present, there are four profit models of Trojan group:

Profit model 1. Fake dating software to cheat users to recharge

Profit model 2. Promotion of gaming software Tiantian chess and card game center

The installation fees involved in the gambling software revenue are as follows:

Profit model 3. Promotion of software

After installing all kinds of promotion software on the victim 's computer, it is divided from the software promoter.

Profit model 4. Stealing game account

It is assumed that the head of the registered Horse Station will not participate in the downstream links such as account washing and gold coin selling, and will directly make profits by selling account information.

Take a well-known online game as an example, the washed account is filtered by level:

Price above grade 85: 2.8 yuan.

Price above 40: 1.8 yuan.

Unfiltered price: 0.2-0.5 yuan for an account.

It is estimated that the proportion of game black production in black production profits has increased significantly, which has surpassed the promotion of software, and has been firmly on the first place, which is closely related to the vigorous development of the game industry in recent years.

5、 Continuous tracking

1. Continuous follow-up of flow detection

At present, the C & C servers collected by Hubble situation awareness have been continuously followed up as monitoring objects.

Trojans are still active.

2. Payload continues to follow up

These collected payload samples will also enter the Hubble dynamic analysis system for analysis in real time

Extract more traffic features to feed situation awareness, find new threats at the first time, and protect users' security.

3. Continuous follow-up by horse herders

At the same time, we will keep track of the latest trends of herdsmen, such as sensitive network behaviors of herdsmen. Combining with the dynamics of payload, C & C and horse herder, a three-dimensional situation awareness is established.

Six, summary

1. Change of communication trend

The technical threshold of Pygmy transmission mode is also gradually reduced, and the mode of "self operation" has evolved from the mode with high technical threshold such as intrusion pygmy DNS hijacking.

2. Change of profit mode

The proportion of game black production in black production profits has increased significantly, which has surpassed the promotion of software, and has been firmly in the first place, which is closely related to the vigorous development of the game industry in recent years.

*Author of this article: Tencent computer manager, reprint from