Avast Threat Labs identify Operation Dragon Castling, a Chinese-speaking APT campaign targeting betting companies in Southeast Asia (Taiwan, the Philippines, and Hong Kong). The operation uses a modular toolkit (MulCom backdoor, Proto8 CoreX/Core Module, and WPS Office updater exploitation CVE-2022-24934) to deliver payloads, gain persistence, and communicate with C2 servers.
#OperationDragonCastling #MulCom #FFRat #DragonOK #PoisonIvy #PlugX #WPSOffice #CVE-2022-24934 #TeamT5 #Taiwan #Philippines #HongKong
#OperationDragonCastling #MulCom #FFRat #DragonOK #PoisonIvy #PlugX #WPSOffice #CVE-2022-24934 #TeamT5 #Taiwan #Philippines #HongKong
Keypoints
- The campaign appears to target betting companies in Taiwan, the Philippines, and Hong Kong, with attribution to a Chinese-speaking APT group, though specific group assignment remains uncertain.
- Code similarity links MulCom backdoor to FFRat samples, suggesting code-sharing across Chinese adversary groups and potential connections to DragonOK-era tooling.
- Two infection vectors were observed: an infected installer delivered via email and a fake WPS Office updater exploiting a vulnerability (CVE-2022-24934).
- The malware stack includes Dropper 1 (QMSpeedupRocketTrayStub64.dll), Dropper 2 (IcbcLog), and a multi-stage Loader/Proto8 core module (CoreX) with advanced evasion and loading tricks.
- Core/Proto8 uses a plugin architecture (Core Plugin, Zload, MecGame, MulCom) to extend capabilities, including persistence, backdoor user creation, and RPC interfaces.
- Beacons and C2 communication rely heavily on HTTP with specific headers and a smcache.dat-based configuration guiding C2 domains and protocols; there is evidence of layered C2 flow and host/header customization.
MITRE Techniques
- [T1566.001] Phishing – “an attacker sent an email with an infected installer to the support team of one of the targeted companies…”
- [T1203] Exploitation for Client Execution – “a fake WPS Office update package… exploit[ing] a bug in the WPS updater wpsupdate.exe” and CVE-2022-24934
- [T1112] Modify Registry – “a registry key under HKEY_CURRENT_USER needs to be modified, and by doing this an attacker gains persistence on the system”
- [T1055] Process Injection – “The dropper… hooks three functions: GetProcAddress, FreeLibrary, LdrUnloadDll”
- [T1574.001] DLL Side-Loading – “drops two files for sideloading: a signed QMSpeedupRocketTrayInjectHelper64.exe and a malicious DLL QMSpeedupRocketTrayStub64.dll”
- [T1059.007] JavaScript – “The dropper uses the JScript class ScriptHelper…”
- [T1071.001] Web Protocols – “HTTP beacon” and related HTTP POST/GET beacon exchange with C2 servers
- [T1021.001] Remote Services – “enabling RDP connections to the machine without the user password” and creating a backdoor user
- [T1041] Exfiltration Over C2 Channel – “The initial beacon… contains system information and the comment string” and data sent to C2
- [T1082] System Information Discovery – “collects information about the infected environment (username, DNS/NetBIOS names, OS version, architecture)”
- [T1136] Create Account – “creates a new user with the name ‘DefaultAccount’ and the password ‘Admin@1999!’ which is then added to Administrator and Remote Desktop Users”
- [T1027] Obfuscated/Compressed Files and Information – “string obfuscation… XORing them with a unique hard-coded key”
Indicators of Compromise
- [Domain] context – update.wps.cn, mirrors.centos.8788912.com, and 2 more (e.g., jianguoyun.com, dav.jianguoyun.com)
- [IP] context – 103.140.187.16
- [Hash] context – 76adf4fd93b70c4dece4b536b4fae76793d9aa7d8d6ee1750c1ad1f0ffa75491, a428351dcb235b16dc5190c108e6734b09c3b7be93c0ef3d838cf91641b328b3, and 1 more (e.g., 97c392ca71d11de76b69d8bf6caf06fa3802d0157257764a0e3d6f0159436c42)
- [File] context – setup_CN_2052_11.1.0.8830_PersonalDownload_Triale.exe, QMSpeedupRocketTrayStub64.dll, and 2 more (bdservicehost.exe, log.dll)
- [File] context – icbc_logtmp.exe (Dropper 2 output) and related components
- [File] context – inst.dat, smcache.dat, hostcfg.dat (configurations used by C2 and persistence)