TeamT5 released its latest research at Black Hat Asia, Asia’s largest security conference this year, explaining the emerging modular backdoor program Pangolin8RAT and its associated hacker groups.
TeamT5 Dupu Digital Security has long been committed to the research on hacker groups in the Asia-Pacific region, and released the latest research at Black Hat Asia, the largest information security seminar in Asia this year, explaining the emerging modular backdoor program Pangolin8RAT and its associated hacker groups.
In view of the trend of modularization of backdoor programs and sharing by multiple hacker groups, TeamT5 Threat Intelligence Analyst Silvia Yeh and Threat Intelligence Researcher Leon Chang warn that the existing APT attack analysis methods may no longer be suitable, and enterprises should use multi-layered threats. Intelligence, master hacker dynamics.
In the past, Trojans created by modular malware such as PlugX and ShadowPad are common in state-sponsored cyber operations in China. Since mid-2020, TeamT5 has detected the modular Trojan Pangolin8RAT in the Asia Pacific region, which may be the successor of the aforementioned modular malware. The name of Pangolin8RAT comes from its PDB string “pangolin” and its RTTI “p8rat”. The modular feature is that DLL download can be performed through C2 instructions, and the function can be extended. Its earlier version supports 8 communication protocols, including TCP, HTTPS, UDP, DNS, ICMP, HTTPSIPV6, WEB, SSH.
TeamT5 named the hacker group that used the Pangolin8RAT backdoor program “Tian Wu”, which is the eight-headed human-faced monster recorded in The Classic of Mountains and Seas. Between 2020 and 2021, the hacker group targeted the online entertainment industry, gambling industry, information industry, telecommunications industry, transportation industry, government units, dissidents, etc. to conduct cyber attacks.
In this talk, the TeamT5 research team also explores the connection between “Tian Wu” and the notorious Chinese APT group Amoeba (alias APT41), the similarity between the two comes from the modular malware structure, attack methods (TTPs) they use and attack range.
The TeamT5 research team pointed out that modular backdoors have become a trend as they can reduce the cost of developing malware for hacker groups. In view of this, the previous research structure and classification of APT attacks may no longer be applicable to future APT attacks. It is recommended that enterprises should use threat intelligence from tactic, operation, strategy and other levels. , get a complete picture of cyber threats.
Join T Kebang Facebook Fan Group