Threat Research

“Analyzing the UTG-Q-010 Campaign: Cryptocurrency Lures and Puppy RAT”

Cyble

UTG-Q-010, an East Asian, financially motivated APT group, runs a sophisticated campaign targeting cryptocurrency enthusiasts and HR departments with spear-phishing LNK attachments to deliver the PupyRAT via a loader DLL. The operation uses advanced evasion such as DLL side-loading, in-memory execution, XOR obfuscation, sandbox checks, and HTTPS-driven file downloads to defeat detection. #UTG-Q-010 #PupyRAT #MichelinNight

Keypoints

  • Group Identification: The UTG-Q-010 group is linked to financially motivated cyber attacks and originates from East Asia.
  • Target Audience: The campaign primarily targets cryptocurrency enthusiasts and HR departments.
  • Infection Vector: Spear phishing emails containing malicious LNK files are used to initiate attacks.
  • Malware Techniques: The group employs advanced techniques like DLL sideloading and in-memory execution to evade detection.
  • Loader DLL: The malicious loader DLL, named “faultrep.dll,” is designed to bypass security measures and execute the Pupy RAT.
  • Social Engineering: The campaign uses enticing themes related to cryptocurrency to lure victims into executing malicious content.
  • Advanced Evasion: The malware includes checks for sandbox environments and uses XOR encryption to obfuscate its payload.

MITRE Techniques

  • [T1566] Phishing – Spear phishing used to reach users. “Utilized spear phishing emails to reach users.”
  • [T1204.002] User Execution: Malicious File – The phishing URL contains a malicious ZIP file with the LNK payload. “The phishing URL contains a malicious ZIP file with the LNK payload.”
  • [T1059.001] PowerShell – PowerShell is used to decrypt and load the payload. “PowerShell is used to execute scripts that decrypt and load the malicious payload.”
  • [T1059.003] Windows Command Shell – Command Prompt (cmd.exe) is invoked to run commands. “Command Prompt (cmd.exe) is invoked with the /c switch to execute a series of commands.”
  • [T1574.002] DLL Side-Loading – The loader DLL is placed where legitimate processes could execute it. “The loader DLL is placed in a location where legitimate processes could execute it.”
  • [T1620] Reflective DLL Injection – In-memory execution and reflective DLL loading. “in-memory execution and reflective DLL loading.”
  • [T1027.013] Obfuscated Files or Information: Encrypted/Encoded File – The DLL uses XOR encryption to obfuscate the payload. “The DLL uses XOR encryption to obfuscate the payload.”
  • [T1497] Virtualization/Sandbox Evasion – Checks detect sandbox/VMs to avoid analysis. “The DLL contains checks to detect sandbox environments and virtual machines to avoid analysis.”
  • [T1071.001] Application Layer Protocol: Web Protocols – Uses HTTPS for downloading files. “use of HTTPS for downloading files.”

Indicators of Compromise

  • [SHA256] context – MichelinNight.zip, MichelinNight.lnk, Pupy RAT, lzh.zip, LNK File, faultrep.dll Loader DLL, Encrypted Payload, and 5 more hashes
  • [URL] context – hxxps://malaithai[.]co/MichelinNight.zip, hxxps://chemdl.gangtao[.]live/down_xia.php, and 2 more URLs
  • [IP] context – 103.79.76[.]40
  • [Filename] context – MichelinNight.lnk, faultrep.dll

Read more: https://cyble.com/blog/analysing-the-utg-q-010-campaign/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint