分类Threat Intelligence下的文章

admin001 发布于 09月21, 2018

Poison Ivy Group and the Cyberespionage Campaign Against Chinese Military and Goverment

Chapter 1 Overview

1. Main Findings

Through research, 360 Helios Team has found that, since 2007, the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments, such as national defense, government, science and technology, education and maritime agencies. The group mainly targets military industry, Sino-US relations, cross-strait relations and ocean-related fields. It indicates that the group’s interest is similar to that of our previously published OceanLotus APT Group.

360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007. In the following 11 years, we have captured 13 versions of malicious code, involving 73 samples. In the initial attack, the Group mainly used spear phishing emails. Before the attack, the target was deeply investigated and carefully selected. Contents that are closely related to the target industry or field were used to construct the bait files and emails, such as specific conference materials, researches or announcements. The lure documents contain 10 vulnerable document samples, including a 0day vulnerability. Infections of this Trojan are distributed in 31 provincial-level administrative regions. The number of C&C domain names is 59 located in 4 different countries or regions according to the returned addresses.

In this cyber espionage campaign that lasted for 11 years in China, the following points in time are worthy of attention:

  • In December 2007, the Trojan associated with the group was first discovered. Involving marine related fields (suspected to be related to a large shipping company)
  • In March 2008, a key laboratory (a scientific research institution) of a university in China was attacked
  • In February 2009, attacks against the military industry began (a well-known military journal magazine)
  • In October 2009, the Trojan added a special method of combating static scanning (API string reverse order), and the methods were used in most versions of Trojans and continued to be applied to 2018.
  • In December 2011, the Trojan added a special method to combat dynamic detection (error API parameters), and related methods were used in most versions of Trojans and continued to be applied to 2015.
  • In February 2012, the first modified version of backdoor 1 based on zxshell code was discovered. The key function is to steal document files such as .doc.ppt.xls.wps.
  • In March 2013, intense attacks were constructed targeting Chinese Academy of Sciences and a number of national ministries and commissions in the fields of science and technology, maritime affairs, etc.
  • In October 2013, carried out watering hole attack on a Chinese government website
  • In May 2014, the revolted version 2 of zxshell modified version of Backdoor 1 was discovered. In addition to the function based on the modified version 1, the search for keywords such as "military (军)", "aviation (航)", and "report (报告)" was added.
  • On September 12, 2014, events and samples related to CVE-2014-4114 (0day vulnerability) were first discovered.
  • On October 14, 2014, iSIGHT released the relevant report and disclosed CVE-2014-4114 (0day vulnerability). On the same day, Microsoft released relevant security bulletins.
  • On February 25, 2015, an attack on a military industry association (national defense technology) and the Chinese Academy of Engineering was detected. Kanbox (酷盘) samples were discovered.
  • In October 2017, the CVE-2017-8759 vulnerability document was used to initiate a spear phishing attack on a large media agency website and an individual working in Quanzhou.
  • In April 2018, the 360 Threat Intelligence Center disclosed the attack malicious code of the group, exploring CVE-2017-8759.
  • In May 2018, the actor launched attacks against several maritime organizations such as shipbuilding companies and port operating companies.

Note: The above first attack time is based on the existing statistics we have. It does not mean that we have known all the attacks and behaviors of the organization.

2. About the Codename of the Group

Since 2015, APT researches in China has gradually started and accelerated. Following the exposure of APT organizations such as “OceanLotus” and “LanBao Mushroom”, the Poison Ivy Group (APT-C-01) is another APT organization that launches persistent attacks targeting government, military, and maritime organizations and stealing sensitive information.

This cyberespionages group was independently discovered by 360 and was first disclosed previously with part of the information. The code-naming is in line with 360’s naming standard for APT organizations.

360 Threat Intelligence Center named the APT-C-01 organization "Poison Ivy", mainly considering the following factors: First, the organization used Poison Ivy Trojans in several attacks. Second, the attack organization used the Cloud disk as a springboard to transmit information. This is similar to the feature of vines that can climb across the wall. According to the 360 Threat Intelligence Center's naming rules for APT organizations (see the report: China APT Annual Report 2016). Considering the common vine plants in the associated areas of the Group, APT-C-01 is named "Poison Ivy".

In addition, Antiy Lab revealed the APT organization "Green Spot" on September 19, 2018. According to the mutual recognition agreement between 360 Threat Intelligence Center and Antiy Lab, the “Poison Ivy” (APT-C-01) and “Green Spot” are different names for the same group. Therefore, we have also announced our discovery.  

Chapter 2 Purposes and Victims

1. Purposes

The main purpose of the attacks is to steal data from the Chinese government and scientific research institutions, which are mainly documents. The following keywords and extension are what the actor searched for :

  • Key words:

阅读全文 »

admin001 发布于 08月15, 2018


APT-C-26(Lazarus 音译”拉撒路”)是从2009年以来至今一直处于活跃的APT组织,据国外安全公司调查显示,该组织最早的攻击可能和2007年针对韩国政府网站大规模DDOS攻击的“Operation Flame”行动相关,同时可能是2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件和2017年席卷全球的“Wannacry”勒索病毒等著名攻击事件的幕后组织。2017年以来,该组织将攻击目标不断扩大,日趋以经济利益为目的,从针对全球的传统金融机构银行系统进行攻击,开始转向于针对全球加密货币组织和相关机构以及个人进行攻击。

阅读全文 »

admin001 发布于 08月15, 2018

Brief Analysis on APT Attack through Cryptocurrency Trading Software

APT-C-26 is an APT group that has been active since 2009. According to the research by an overseas security vendor, the group’s earliest attack may be associated with the “Operation Flame” which was a large-scale DDOS attack on Korean government’s website in 2007. Lazarus may also be the group behind the hacking incident of Sony Pictures in 2014, the data breach of the Bank of Bangladesh in 2016 and other infamous attacks such as the “Wannacry” ransomware that swept across the globe in 2017. Since 2017, the group has been expanding its targets of attack and increasingly aimed at economic interests. In earlier attacks, the group mainly targeted the banking system of traditional financial institutions. Now, it has begun to attack global cryptocurrency organizations and related individuals.

阅读全文 »

admin001 发布于 08月08, 2018


古河@360 Vulcan Team


asset是EOS官方头文件中提供的用来代表货币资产(如官方货币EOS或自己发布的其它货币单位)的一个结构体。在使用asset进行乘法运算(operator *=)时,由于官方代码的bug,导致其中的溢出检测无效化。造成的结果是,如果开发者在智能合约中使用了asset乘法运算,则存在发生溢出的风险。

阅读全文 »

admin001 发布于 08月08, 2018

EOS Asset Multiplication Integer Overflow Vulnerability

Yuki Chen of Qihoo 360 Vulcan Team


The asset structure is defined in EOS’s system header file, it can be used to define the amount of some tokens (such as the official EOS token or some custom tokens defined by user). Recently we discovered a bug in asset’s multiplication operator(operator *=) which makes the integer overflow check in the function to have no effect. If a developer uses asset multiplication in his EOS smart contract, he may need to face the risk of integer overflow.

阅读全文 »

heliosteam 发布于 07月26, 2018

Donot APT组织-针对巴基斯坦最新攻击活动分析


Donot APT组织是一个长期针对南亚地区(主要是巴基斯坦)实施网络间谍活动的APT组织,2017年6月,360威胁情报中心首次发现和曝光了该团伙针对巴基斯坦的定向攻击活动,并详细分析了该组织使用的EHDevel恶意代码框架。2018年3月,国外安全团队ASERT继续披露了该组织新的恶意代码框架yty,并根据PDB路径中的机器用户名将该组织命名为Donot。 Donot APT组织主要针对巴基斯坦等南亚地区国家进行网络间谍活动,该组织主要针对政府机构等领域进行攻击,其中以窃取敏感信息为主。从2017年至今,该组织针对巴基斯坦至少发动了4波攻击攻击行动,攻击过程主要是以携带Office漏洞或者恶意宏的鱼叉邮件进行恶意代码的传播,并先后使用了两套独有的恶意代码框架:EHDevel和yty。 自第一次发现该组织的攻击活动以来,360威胁情报中心对该组织一直保持着持续跟踪,近期我们再次跟踪到该团伙利用较新的Office Nday漏洞发起的新的攻击活动,并对攻击中使用的yty框架最新的恶意代码进行了详细分析。

阅读全文 »

heliosteam 发布于 06月07, 2018

CVE-2018-5002 - Analysis of the Second Wave of Flash Zero-day Exploit in 2018


On June 1, 2018, the Advanced Threat Response Team of 360 Core Security discovered an attack using a new Flash 0-day vulnerability on a global scale. The hackers carefully constructed an Office document that remotely loaded Flash vulnerability. When the document was opened, all the exploit code and malicious payload were delivered through remote servers. This attack mainly targets the Middle East. This vulnerability is the second Flash 0-day vulnerability discovered in 2018 and is currently affecting Adobe Flash Player and below versions.

阅读全文 »

heliosteam 发布于 06月07, 2018



2018年6月1日,360核心安全高级威胁应对团队在全球范围内率先捕获了新的一起使用Flash 零日漏洞(CVE-2018-5002)的在野攻击,黑客精心构造了一个从远程加载Flash漏洞的Office文档,打开文档后所有的漏洞利用代码和恶意荷载均通过远程的服务器下发,此次攻击主要针对中东地区。该漏洞目前影响Adobe Flash Player及其以下版本,是今年出现的第二波Flash零日漏洞在野攻击。

阅读全文 »

admin001 发布于 05月29, 2018

EOS节点远程代码执行漏洞 --- EOS智能合约WASM函数表数组越界


Yuki Chen of Qihoo 360 Vulcan Team Zhiniang Peng of Qihoo 360 Core Security


我们发现了EOS区块链系统在解析智能合约WASM文件时的一个越界写缓冲区溢出漏洞,并验证了该漏洞的完整攻击链。 使用该漏洞,攻击者可以上传恶意的智能合约至节点服务器,在节点服务器解析恶意合约后,攻击者就能够在节点服务器上执行任意代码并完全控制服务器。 在控制节点服务器后,攻击者可以将恶意合约打包进新的区块,进而攻击和控制其他新的节点,最终攻击和控制整个EOS网络。

阅读全文 »