- Chapter 1 Overview
- Chapter 2 Purposes and Victims
- Chapter 3 11 Years’ Persistent Campaign
- 1. Initial Attack
- 2. Vulnerability Analysis
- 3. Persistent penetration
- 4. C&C analysis
- 5. Correlation Analysis
- Chapter 4 The Group Behind the Curtain
- Chapter 5 Group Summary
- Appendix 1: MD5
- Appendix 2: C&C
Through research, 360 Helios Team has found that, since 2007, the Poison Ivy Group has carried out 11 years of cyber espionage campaigns against Chinese key units and departments, such as national defense, government, science and technology, education and maritime agencies. The group mainly targets military industry, Sino-US relations, cross-strait relations and ocean-related fields. It indicates that the group’s interest is similar to that of our previously published OceanLotus APT Group.
360 Helios Team captured the first Trojan of the Poison Ivy Group in December 2007. In the following 11 years, we have captured 13 versions of malicious code, involving 73 samples. In the initial attack, the Group mainly used spear phishing emails. Before the attack, the target was deeply investigated and carefully selected. Contents that are closely related to the target industry or field were used to construct the bait files and emails, such as specific conference materials, researches or announcements. The lure documents contain 10 vulnerable document samples, including a 0day vulnerability. Infections of this Trojan are distributed in 31 provincial-level administrative regions. The number of C&C domain names is 59 located in 4 different countries or regions according to the returned addresses.
In this cyber espionage campaign that lasted for 11 years in China, the following points in time are worthy of attention:
- In December 2007, the Trojan associated with the group was first discovered. Involving marine related fields (suspected to be related to a large shipping company)
- In March 2008, a key laboratory (a scientific research institution) of a university in China was attacked
- In February 2009, attacks against the military industry began (a well-known military journal magazine)
- In October 2009, the Trojan added a special method of combating static scanning (API string reverse order), and the methods were used in most versions of Trojans and continued to be applied to 2018.
- In December 2011, the Trojan added a special method to combat dynamic detection (error API parameters), and related methods were used in most versions of Trojans and continued to be applied to 2015.
- In February 2012, the first modified version of backdoor 1 based on zxshell code was discovered. The key function is to steal document files such as .doc.ppt.xls.wps.
- In March 2013, intense attacks were constructed targeting Chinese Academy of Sciences and a number of national ministries and commissions in the fields of science and technology, maritime affairs, etc.
- In October 2013, carried out watering hole attack on a Chinese government website
- In May 2014, the revolted version 2 of zxshell modified version of Backdoor 1 was discovered. In addition to the function based on the modified version 1, the search for keywords such as "military (军)", "aviation (航)", and "report (报告)" was added.
- On September 12, 2014, events and samples related to CVE-2014-4114 (0day vulnerability) were first discovered.
- On October 14, 2014, iSIGHT released the relevant report and disclosed CVE-2014-4114 (0day vulnerability). On the same day, Microsoft released relevant security bulletins.
- On February 25, 2015, an attack on a military industry association (national defense technology) and the Chinese Academy of Engineering was detected. Kanbox (酷盘) samples were discovered.
- In October 2017, the CVE-2017-8759 vulnerability document was used to initiate a spear phishing attack on a large media agency website and an individual working in Quanzhou.
- In April 2018, the 360 Threat Intelligence Center disclosed the attack malicious code of the group, exploring CVE-2017-8759.
- In May 2018, the actor launched attacks against several maritime organizations such as shipbuilding companies and port operating companies.
Note: The above first attack time is based on the existing statistics we have. It does not mean that we have known all the attacks and behaviors of the organization.
Since 2015, APT researches in China has gradually started and accelerated. Following the exposure of APT organizations such as “OceanLotus” and “LanBao Mushroom”, the Poison Ivy Group (APT-C-01) is another APT organization that launches persistent attacks targeting government, military, and maritime organizations and stealing sensitive information.
This cyberespionages group was independently discovered by 360 and was first disclosed previously with part of the information. The code-naming is in line with 360’s naming standard for APT organizations.
360 Threat Intelligence Center named the APT-C-01 organization "Poison Ivy", mainly considering the following factors: First, the organization used Poison Ivy Trojans in several attacks. Second, the attack organization used the Cloud disk as a springboard to transmit information. This is similar to the feature of vines that can climb across the wall. According to the 360 Threat Intelligence Center's naming rules for APT organizations (see the report: China APT Annual Report 2016). Considering the common vine plants in the associated areas of the Group, APT-C-01 is named "Poison Ivy".
In addition, Antiy Lab revealed the APT organization "Green Spot" on September 19, 2018. According to the mutual recognition agreement between 360 Threat Intelligence Center and Antiy Lab, the “Poison Ivy” (APT-C-01) and “Green Spot” are different names for the same group. Therefore, we have also announced our discovery.
The main purpose of the attacks is to steal data from the Chinese government and scientific research institutions, which are mainly documents. The following keywords and extension are what the actor searched for :
- Key words:
- Related information of the stolen user hosts:
MAC Info: MAC information, including IP address, gateway, etc.
Host Info: Host information, including operating system information, host name, local user name, etc.
Process Info: current process
Version Info: version information, including Microsoft Office and Microsoft Internet Explorer version
Disk Info: Disk Information
Figure 1 User host information (example)
Figure 2 Infected users by month (July 2014 - June 2015)
Mainly involved industries: national defense, government, science and technology, education, etc.
Related fields: maritime (South China Sea, East China Sea, mapping), military, Taiwan-related issues (cross-strait relations), Sino-US relations
Figure 3 Distribution map of infected areas in China (July 2014-June 2015)
Figure 4 Infected areas in China
The spear phishing email attack is a common attack method in APT, mainly in the initial phase. Attackers use the mail to start the attack. The text and the attachment may carry malicious code, commonly vulnerability files. About 90% of the attacks are like this.
This section mainly introduces two attack methods: e-mail carrying vulnerability files and e-mail carrying binary executable files.
A. Carrying vulnerable Word document
Figure 5 Carrying vulnerable files Case 1 - Word document
Figure 6 Carrying vulnerable files Case 1 - zipped file
Figure 7 Carrying vulnerable files Case 1 – CHM file
Figure 8 Carrying vulnerable files Case 1 - Email
Figure 9 Carrying vulnerable files Case 2 - Email
Figure 10 Carrying vulnerable files Case 2 – Vulnerable Word Document
B. Carrying PE binary executable
Figure 11 Carrying PE binary executable – email
Figure 12 Carrying PE binary executable – attached zipped file
Figure 13 Carrying PE binary executable – bait document released by the Trojan
The attack actor usually sends a phishing email through the webmail and the related tool (PHPMailer ).
C. Carrying self-extracting file
The attackers send a compressed form of the RAR self-extracting program to the target mailbox.
The Trojan is in the attachment:
The file is actually a RAR self-extracting format program, the parameters are as follows. When victim click on this exe, it will directly run the bat file inside:
The default batch processing command moves the Trojan body to the temp directory, then executes it and deletes the batch processing file:
Figure 14 Figure 14 Disguised file extension (RLO)
Figure 15 Disguised icon and hidden extension Case 1
Figure 16 Disguised icon and hidden extension Case 2
Figure 17 Disguised icon and hidden extension Case 2 – Lure document released by the Trojan
A. Execution flow of the vulnerable file
Figure 18 Execution flow of the vulnerability (CVE-2012-0158)
B. MHT format
Figure 19 Comparison of the two formats of the vulnerable files (upper: MHT, Lower RTF)
CVE-2012-0158 is mainly exploited on the rtf and doc formats. This attack saves the doc file to the mht format, so anti-virus software cannot detect the files due to the pre-logic mismatch. The detection rate on these related vulnerability files was low at the time.
C. Shellcode comparison
Through our comparison of the shellcode of the vulnerable document, we can find that the relevant structure and function are basically the same. Further, we can infer that the related vulnerability document is developed by the same hacker group.
The CVE-2014-4114 vulnerability is a report released by iSIGHT on October 14, 2014. The report mentions a 0day vulnerability (CVE-2014-4114) exploited in cyber espionage mainly against NATO, EU, telecommunications and energy related fields. Microsoft also released the relevant security bulletin on October 14.
CVE-2014-6352 is a vulnerability that can bypass the CVE-2014-4114 patch. Microsoft's previous patching scheme first adds the MakeFileUnsafe call after generating the Inf and exe files to set the file zone information, so there will be security alert when the exploitation install inf. The CVE-2014-6352 vulnerability sample abandoned the use of inf to install exe, rather than directly executing exe. Because the second item of the right-click menu of the system executable file above xp is executed with administrator privileges, this will result in no security reminder if the user closes the uac. So the Microsoft 6352 patch is to add a security prompt popup window in the context menu.
Reference https://technet.microsoft.com/zh-cn/library/security/3010060.aspx https://technet.microsoft.com/zh-cn/library/security/ms14-064.aspx http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6352
B. Related introductions in this operation
Figure 20 Vulnerability Document (CVE-2014-6352) attribution related information
Figure 21 CVE-2014-6352 related key time points
The sample in this action does not use inf as the springboard, but directly use exe. After the CVE-2014-4114 vulnerability is triggered, the default is to call the second item of the right-click menu. Under Windows7, it is normally opened with administrator privileges. If the second option is another option, it will pass the virus path as a parameter, which will also cause partial compatibility issues. The execution effect is as shown in the following figure:
Figure 22 Schematic diagram of the vulnerability implementation
Upgrade of the vulnerability document version
Figure 23 Sandworm vulnerability document sample (version A)
Figure 24 Sandworm vulnerability documentation sample (version B)
Figure 25 Poison Ivy vulnerable document sample (version C)
CVE-2017-8759 is a 0day vulnerability disclosed by FireEye on September 12, 2017. Microsoft released a related security bulletin on September 12.
Reference link https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8759
B. Related information in the action
The Rtf file automatically update the link through the objautlink and objupdate. After the vulnerability is triggered, mshta.exe executes the remotely HTA file.
The HTA file is an html page embedded with a malicious VBS, and the VBS calls POWERSHELL to download the subsequent exe loader.
RAT: Remote Access Trojan
Figure 26 Related RAT evolution timeline
A total of 11 versions were involved with the relevant backdoors. The relevant proportions are as follows:
Figure 27 The relevant proportion ratio of these 11 versions of RAT
Figure 28 RAT related version classification
A. Poison Ivy
The Poison Ivy Trojan is essentially a Remote Access Trojan (RAT). FireEye had conducted a special analysis on Poison Ivy. The Poison Ivy Trojan in this report corresponds to the 2.3.2 version. The Poison Ivy Trojan Generator has a total of 10 versions starting from version 1.0.0. The latest version is 2.3.2. The Poison Ivy Trojan Generator can generate both versions including EXE and shellcode. The Trojans generated in this case are in shellcode form. Most of the related Mutexes are mostly default as: ")! VoqA.I4".
Figure 29 Configuration Interface Screenshot to Poison Ivy generator
Figure 30 PI Relationship between Outer Layer and Inner Layer
The Poison Ivy Trojan gets the shellcode from the out layer parent by XOR key1 and key2 in turn.
Figure 31 Poison Ivy Trojan (three) related XOR decryption comparison
There is a list of related Poison Ivy Trojan configuration information (ID and corresponding password).
ZxShell has been used continuously by APT-C-01 organization from December 2007 until October 2014. Due to the large difference between the relevant versions, ZxShell can be regarded as two versions. They are the internal published version and the open source version. The first version refers to the ZxShell Trojan used by the APT-C-01 organization from 2007 to 2012. The second version refers to the relevant ZxShell Trojan used by the organization from 2012 to 2014. The related Trojan is developed based on the open source version, which we call it secondary development version. The internal published version and the open source version are both 3.0 version. The former is not widely publicized, but intergraded with features. The latter version’s related source code is widely distributed, and the functions are eliminated from the previous versions. For more detailed analysis about ZxShell, please refer to the report: Threat Spotlight: Group 72, Opening the ZxShell from Cisco.
It can be seen from the above table that the number of instructions to the corresponding version is continuously reduced based on research to the relevant version of the Trojan. That means the Poison Ivy Group had eliminated more existing features. Only 13 instructions are retained in the secondary development version, yet further additional instructions and features have been added. The related new features in the secondary development version are shown in the following table:
Secondary Development Version V.S. Open Source Version
The samples we captured are based on ZxShell source code modifications. They have retained the original structure. ZxShell itself has more than twenty instructions. In addition to retaining some instructions, the samples we captured excluded a large number of instructions, such as: installation start, clone system account, shutdown firewall, port scan, proxy server and other functions and also with the "IEPass" command added.
Figure 32 Screenshots to IEPass Directive related Code
Related subversion iteration update (secondary development version)
- Compared with the previous version, the change is mainly the part of collecting information. And the time range for collecting documents is expanded from half a year to 4 years ago, the file extension of the ".wps" is added, and the original ".doc" has been changed into ".doc*";
- The time range for stealing documents has been changed to half year ago. Modify the file packing part to remove the file version information.
- Modify the monitoring log file encryption to write to the log adovbs.mof; add monitor to configuration characters; add Profiles.log to record system information and file information.
- The code function is less updated than the previous version, and the position of the related function has changed to fight with the anti-virus software.
Figure 33 Screenshot to relevant keyword code
ZxShell related configuration list
C. Kanbox version
The related sample camouflage itself as folder icon. After execution, it will release the "svch0st.exe" Trojan file and the normal folder and ".doc" document file to confuse the user.
"svch0st.exe" is a Trojan transmitted by ssl encryption protocol. It will execute all the Trojan processes every hour, and the Trojan process will pack and upload all the information on the computer (related information includes: file directory, system Version, network card information, process list information, package specified files, network information, and disk information), and the files with related keywords (such as: "Taiwan", "Army", "War" in Chinese), to the Kanbox that the attacker registered in advance by ssl protocol.
C&C address is a Kanbox address . File will be uploaded via the API provided by Kanbox.
API upload interface: https://api-upload.kanbox.com/0/upload/%s/%s?bearer_token=%s https://auth.kanbox.com/0/token
Figure 34 Screenshot to the Kanbox API address code
Figure 35 Screenshot to the official website home page of Kanbox
Kanbox version related configuration information list
D. Unknown RAT
The unknown RAT is divided into two versions from the outer dropper. They are the folder version and the bundle version. The RAT is divided into four versions, and they are all unknown remote access Trojan.
a) Folder Version
Figure 36 Related changes after the implementation of the unknown RAT file version
b) Bundle version
67d5f04fb0e00addc4085457f40900a2 └─Atnewyrr.exe~tmp.zip │ newyrr.exe │ └─doll.exe aaa.vbs b.bat server.exe
Figure 37 Digital signature used in unknown RAT
The backdoor program used by the APT-C-01 organization in related actions further includes three RATs. They are: gh0st, XRAT and HttpBot.
At the beginning of 2018, 360 Threat Intelligence Center discovered a control domain (http://updateinfo.servegame.org) used by the APT-C-01 organization to control and distribute the attack payload. In the attack activity, the organization referred to the CVE-2017-8759 vulnerability document, downloaded the malicious HTA file, and executed related script commands to download and execute the subsequent attack payload module.
A. Dropper Analysis
Dropper program was triggered to be download and executed by the vulnerability document attached to the spear phishing email.
And it will download the malicious HTA file, which executes the PowerShell command to download the Loader program and saves it as officeupdate.exe and then executes it.
B. Loader Analysis
According to the string information contained in the Loader program, the creator named it as SCLoaderByWeb, and the version is 1.0, which literally means the Shellcode Loader program obtained from the Web. It is used to download and execute shellcode code.
The Loader program will firstly try to connect to a common URL to check network connectivity. If there is no networking, it will try to connect every 5 seconds until the network can be connected. Then it downloads the payload from hxxp://updateinfo.servegame.org/tiny1detvghrt.tmp, as shown in the figure:
Then judge whether the file is successfully downloaded. If not, it will sleep for 1 second, then try to download the payload again:
After the download, the content of the downloaded file is XOR decrypted by each byte and 0xac, 0x5c, 0xdd (essentially, each byte is exclusive or 0x2d), as shown in the figure:
After that, the decrypted shellcode is executed in the newly created thread, as shown in the figure:
C. Shellcode Analysis
The .tmp files hosted by the distribution domain name address are bytecode XORed shellcode. The following figure shows the tinyq1detvghrt.tmp file downloaded from the distribution domain name, which is XOR2d encrypted data.
After decryption, it is found that the shellcode generated by Poison Ivy as follows:
By analyzing and testing the shellcode format generated by the Poison Ivy Trojan and comparing the shellcode format used in the attack payload, the position and meaning of each configuration field in the shellcode is obtained.
The format of its shellcode configuration field is as follows:
When the code logic of the kernel32 base address in Poison Ivy was analyzed, it is found to be incompatible with the Windows 7 system, because the second module of the InitializationOrderModule under Windows 7 OS is KernelBase.dll, so the actual acquisition is the base address of KernelBase.
Since Poison Ivy has stopped updating, the attack organization has made a code patch to improve the code for obtaining the base address of kernel32 in order to enable shellcode to be executed on subsequent versions of Windows.
The improvement method is as follows:
- Add a jump instruction to the end of the shellcode before the original kernel32 base code is obtained, and the patch code is added at the end;
- The patch code first obtains the base address of the second module of the InitializationOrderModule (kernel32.dll under Windows XP, kernelbase.dll for Windows 7);
- Then get the address of LoadLibraryExA of the second module of InitializationOrderModule (kernel32.dll under Windows XP and kernelbase.dll under Windows 7 have this export function)
- Finally, get the base address of kernel32 by calling LoadLibraryExA function.
The attacker's patch for shellcode makes it available for different versions of Windows systems.
The function of this shellcode is mainly the remote access Trojan’s control module, and C2 communication and remote control. Here we simulate the on-line process of the Trojan under the Windows 7 system.
Decrypt the other shellcode files managed on the control domain name, and the online information of the obtained samples is listed as follows:
In May 2018, we discovered a new Trojan program used by the APT-C-01 Group in its attacks against relevant maritime agencies and units in China. It mainly used the spear phishing email to deliver RAR self-extracting program attachment. When the victim double-clicked the attachment, the Trojan run and executes itself.
At the entrance of the remote control module, malicious code is executed in the catch by triggering the exception code, as shown in the figure:
Then use the same method to trigger the exception code and enter the second layer of code:
Enter the initialization socket and establish a connection with C2:
Connect to port 8080 of zxcv201789.dynssl.com to create a C&C channel:
The place where the online package is sent to the control server has an online password: asd88, as shown in the figure:
Finally enter the functional loop part of the remote control:
Function included: Token Function
- 0x04 Close the connection
- 0x41 Remote shell
- 0x42 Process enumeration
- 0x43 End the specified process
- 0x51 Enumerate drive
- 0x52 List specified directory
- 0x53 Upload files to the victim
- 0x54 Download file from victim
- 0x55 Delete Files
- 0x56 Remote execution
The strings in this Trojan are inverted strings, which are reversed by the C language strrev. This method was also used in the Trojan from this organization in 2015. Figure is as follow:
Figure 38 DynDNS Hosting Providers（ChangeIP）
Figure 39 DynDNS Hosting Providers ratio graph
The following are the dynamic subdomain names (registered by the attack organization),and we listed them here for research and analysis of the relevant mapping meanings.
The current two tokens of Kanbox sample:
Through the analysis of the kanbox API, we get the information of the Cloud disk account used by the Group, mainly including the mobile phone number of China Mobile, which is used to register the Cloud disk account.
Some of the correlation analysis results we conducted with this mobile phone number:
Figure 40 Google search results
Figure 41 Weifengtang website user information 1
Figure 42 Weifengtang website user information 2
Figure 43 Alipay and WeChat information of the number owner
Figure 44 Screenshot of the blog part
The picture above shows the Poison Ivy Group relying on a third-party blog for malicious code transmission. The domain name of a blog is usually in the whitelist of firewalls and various security software. Using this method to store malicious code in a blog can avoid anti-virus software.
Figure 45 C&C IP Correlation Analysis
The domain name gaewaaa.upgrinfo.com has relevant whois information, as shown below.
Figure 46 Domain registration information Another domain name is moneyaaa.beijingdasihei.com
Correlate between raw attack emails, vulnerability files, 3 different RATs (ZxShell, Poison Ivy and Kanbox version), and related domain names, online passwords, file extensions, compressed package passwords, and keyword different resources.
Figure 47 Figure 47 Overall relationship between different resources
Typical method of the correlated samples:
A. Development environment
Except XRAT backdoor, all other versions have used the C++ from 2008 to 2015.
The following versions: 2011 version, memcache version, Voice64 version, HTTPBOTS version, kanbox version, PI, XRAT all use XOR decryption for two times, and then execute malicious code. In addition, the cloud drive version will also encrypt the file.
Figure 48 unknown RAT2011 (left), Kanbox (right)
C. Stealing function
ZXShell backdoor uses a custom stealing function that is very similar to the stealing function used by 2015 cloud drive version. The search of the A drive(usually the floppy disk driver) is excluded, the disk is traversed in advanced, the driver list is stored in the memory, and the drive list in the memory is ready by the pointer plus 5.
Figure 49 ZxShell (left), Kanbox(right)
D. Shellcode backdoor
Compared to the 2011 version (Poison Ivy) injected into the system’s Shellcode and 2015 cloud drive version, the highly similarity Shellcode backdoor and the last line address is also filled with 0x30.
Figure 50 unknown RAT2011 version (left), Kanbox (right)
Related shellcode Trojan file detection result ( 0 detection): https://www.virustotal.com/en/file/8cee670d7419d1fd0f8f0ac6a2bd981593c2c96ca0f6b8019317cf556337cfa8/analysis/
E. Child file name (outer layer)
By comparing the 2009 version with the 2011 version, it can be seen that the name of the child files released by the virus is ~work.tmp, the format string is “%s\%s.bak”, and the code similarity is extremely high. Use ~tmp.tmp、~tmp.zip、~mstmp.cpt as the temporary file name of the Trojan (07~09).
Figure 51 unknown RAT2009 (left), unknown RAT2011(right)
F. Bypass Anti-Virus –API string reverse order against static scan
HttpBot, Kanbox, XRAT, RAT(07-11version) Trojan, reverse order API string is used in code writing. When the Trojan executes, the reverse string is converted to a normal API string by the _strrev function, and the GetProcAddress function is called to dynamically obtain the API address. Reverse order API string increases the difficulty of string detection. In addition, the API address is obtained in the Trojan dynamic execution, which is difficult to detect in the static information of the PE, which increases the difficulty of API detection. The Poison Ivy is known to use this since 2009 and continue to use until 2018.
Figure 52 Unknown RAT2009 (upper), kanbox(below)
G. Bypass Anti-Virus– pass error API parameters against dynamic scan:
Kanbox, Poison Ivy, XRAT, ZxShell, unknown RAT(07-11 version) trojan, used GetClientRect function to against dynamic scanning of anti-virus software. GetClientRect prototype is: BOOL GetClientRect(HWND hWnd,LPRECT lpRect); the role is toget the windows coordinate area. The first parameter is the target window handle. The second parameter is the returned coordinate structure. The Trojan called GetClientRect, passing 0 in the first parameter on purpose. This makes the GetClientRect function fail forever in the normal Windows operation system, and return value is 0. At present, many anti-virus software uses dynamic scanning technology(mostly in heuristic detection). The simulation of executing the GetClientRect function does not consider error parameters, so that the GetClientRect function is always executed successfully by simulation, and the return value is non-zero. In this way, the anti-virus software virtual environment and the user's real system can be distinguished by Trojans, thus by pass anti-virus software detection. The Kaspersky Virtual Machine heuristic scanning environment can be detected by Trojans. The Poison Ivy is known to use this since 2011 and continue to use until 2018.
Figure 53 unknown RAT2011（upper left），zxshell（Upper right），Kanbox (under) The Kanbox uses the dynamic acquisition API to call GetClientRect function.
H. Legal digital signature
Versions before 2011
2015 BLOG version Started to use the signature in May 2015 (suspected of being stolen) Signature：We Build Toolbars LLC
- Vulnerability Files：
- a. Normal released DOC：Traditional Chinese or specific area’s font, etc.
- b. Some patch, such as DANK in PPSX
- PE：String in traditional Chinese or font used in a specific area (BIG5), such as PE file version information and string in ID\password\mutex.
- a. Non-Dynamic Domain: Wade-Giles romanization, Registration Inforamtion
- b. Dynamic Domain：
- c. Cloud Storage
- IP：specific area and the United States, main in CC and mail.
- Related time zone：PE time stamp、file create time, etc， information such as Monday morning attack.
The domain is javainfo.upgrinfo.com. The address in the registration information is a specific area, and the spell of the name is Wade-Giles Romanization.
Figure 54 Codes contains related keyword
Vulnerability file or Trojan’s original file name (lure file name) lists:
The help information in the Zxshell is garbled. Actually it is traditional Chinese.
Figure 55 ZxShell related screenshot
Figure 56 unknown RAT2009
Figure 57 vulnerability file（CVE-2014-4114）property details screenshot
Figure 58 vulnerability file（CVE-2014-4114）slide file screenshot
Default font for the specific region：PMingLiU
Figure 59 backdoor released phishing file
Figure 60 Xinhua related news’ screenshot
03d762794a6fe96458d8228bb7561629 0595f5005f237967dcfda517b26497d6 07561810d818905851ce6ab2c1152871 0e80fca91103fe46766dcb0763c6f6af 1374e999e1cda9e406c19dfe99830ffc 1396cafb08ca09fac5d4bd2f12c65059 1ab54f5f0b847a1aaaf00237d3a9f0ba 1aca8cd40d9b84cab225d333b09f9ba5 1dc61f30feeb60995174692e8d864312 250c9ec3e77d1c6d999ce782c69fc21b 2579b715ea1b76a1979c415b139fdee7 26d7f7aa3135e99581119f40986a8ac3 27f683baed7b02927a591cdc0c850743 28e4545e9944eb53897ee9acf67b1969 2a96042e605146ead06b2ee4835baec3 2c405d608b600655196a4aa13bdb3790 30866adc2976704bca0f051b5474a1ee 31c81459c10d3f001d2ccef830239c16 3484302809ac3df6ceec857cb4f75fb1 36c23c569205d6586984a2f6f8c3a39e 382132e601d7a4ae39a4e7d89457597f 3e12538b6eaf19ca163a47ea599cfa9b 41c7e09170037fafe95bb691df021a20 45e983ae2fca8dacfdebe1b1277102c9 4e57987d0897878eb2241f9d52303713 5696bbee662d75f9be0e8a9ed8672755 5e4c2fbcd0308a0b9af92bf87383604f 5ee2958b130f9cda8f5f3fc1dc5249cf 5f1a1ff9f272539904e25d300f2bfbcc 611cefaee48c5f096fb644073247621c 67d5f04fb0e00addc4085457f40900a2 6a37ce66d3003ebf04d249ab049acb22 6ca3a598492152eb08e36819ee56ab83 7639ed0f0c0f5ac48ec9a548a82e2f50 76782ecf9684595dbf86e5e37ba95cc8 785b24a55dd41c94060efe8b39dc6d4c 7c498b7ad4c12c38b1f4eb12044a9def 81232f4c5c7810939b3486fa78d666c2 81e1332d15b29e8a19d0e97459d0a1de 8abb22771fd3ca34d6def30ba5c5081c 95f0b0e942081b4952e6daef2e373967 9b925250786571058dae5a7cbea71d28 9bcb41da619c289fcfdf3131bbf2be21 9f9a24b063018613f7f290cc057b8c40 a73d3f749e42e2b614f89c4b3ce97fe1 a807486cfe05b30a43c109fdb6a95993 a8417d19c5e5183d45a38a2abf48e43e acc598bf20fada204b5cfd4c3344f98a accb53eb0faebfca9f190815d143e04b adc3a4dfbdfe7640153ed0ea1c3cf125 ae004a5d4f1829594d830956c55d6ae4 b0be3c5fe298fb2b894394e808d5ffaf b244cced7c7f728bcc4d363f8260090d b301cd0e42803b0373438e9d4ca01421 bd2272535c655aff1f1566b24a70ee97 bd4b579f889bbe681b9d3ab11768ca07 bfb9d13daf5a4232e5e45875e7e905d7 c31549489bf0478ab4c367c563916ada c8755d732be4dc13eecd8e4c49cfab94 c8fd2748a82e336f934963a79313aaa1 ca663597299b1cecaf57c14c6579b23b d12099237026ae7475c24b3dfb5d18bc d61c583eba31f2670ae688af070c87fc dde2c03d6168089affdca3b5ec41f661 e2e2cd911e099b005e0b2a80a34cfaac e9a9c0485ee3e32e7db79247fee8bba6 ec7e11cfca01af40f4d96cbbacb41fed eff88ecf0c3e719f584371e9150061d2 f0c29f89ffdb0f3f03e663ef415b9e4e f1b6ed2624583c913392dcd7e3ea6ae1 f27a9cd7df897cf8d2e540b6530dceb3 f29abd84d6cdec8bb5ce8d51e85ddafc f3ed0632cadd2d6beffb9d33db4188ed fbd0f2c62b14b576f087e92f60e7d132 fccb13c00df25d074a78f1eeeb04a0e7 0fb92524625fffda3425d08c94c014a1 168365197031ffcdbe65ab13d71b64ec 2b5ddabf1c6fd8670137cade8b60a034 517c81b6d05bf285d095e0fd91cb6f03 7deeb1b3cce6528add4f9489ce1ec5d6 aa57085e5544d923f576e9f86adf9dc0 cda1961d63aaee991ff97845705e08b8 e07ca9f773bd772a41a6698c6fd6e551 fb427874a13f6ea5e0fd1a0aec6a095c
126mailserver.serveftp.com access.webplurk.com aliago.dyndns.dk as1688.webhop.org babana.wikaba.com backaaa.beijingdasihei.com bt0116.servebbs.net ceepitbj.servepics.com check.blogdns.com china.serveblog.net chinamil.lflink.com cluster.safe360.dns05.com cnwww.m-music.net fff.dynamic-dns.net gaewaa.upgrinfo.com givemea.ygto.com givemeaaa.upgrinfo.com goldlion.mefound.com gugupd.008.net guliu2008.9966.org hyssjc.securitytactics.com jason.zyns.com javainfo.upgrinfo.com jerry.jkub.com kav2011.mooo.com kouwel.zapto.org laizaow.mefound.com localhosts.ddns.us mail.sends.sendsmtp.com mail163.mypop3.net mailsends.sendsmtp.com mediatvset.no-ip.org moneyaaa.beijingdasihei.com motices.ourhobby.com mp3.dnset.com netlink.vizvaz.com operater.solaris.nu pps.longmusic.com ps1688.webhop.org rising.linkpc.net safe360.dns05.com sandy.ourhobby.com soagov.sytes.net soagov.zapto.org soasoa.sytes.net ssy.ikwb.com ssy.mynumber.org svcsrset.ezua.com teacat.https443.org tong.wikaba.com updates.lflink.com usa08.serveftp.net waterfall.mynumber.org webupdate.dnsrd.com www.safe360.dns05.com www.ssy.ikwb.com www.tong.wikaba.com wwwdo.tyur.acmetoy.com xinhua.redirectme.net 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 bearingonly.rebatesrule.net canberk.gecekodu.com emailser163.serveusers.com fevupdate.ocry.com geiwoaaa.qpoe.com hy-zhqopin.mynumber.org l63service.serveuser.com microsoftword.serveuser.com office.go.dyndns.org updateinfo.servegame.org uswebmail163.sendsmtp.com winsysupdate.dynamic-dns.net wmiaprp.ezua.com www.service.justdied.com zxcv201789.dynssl.com officepatch.dnset.com pouhui.diskstation.org comehigh.mefound.com annie165.zyns.com http://annie165.zyns.com/zxcvb.hta