Threat Research

Vault Viper: High Stakes, Hidden Threats

Infoblox

Infoblox and UNODC-linked research uncovered Vault Viper (Baoying Group / BBIN), a large iGaming white-label operator distributing a custom “Universe Browser” that routes traffic through China and installs persistent background programs with functionality consistent with RATs and information stealers. The investigation ties Vault Viper to transnational organized crime networks including Suncity and convicted Triad leader Alvin Chau, and documents a vast DNS and C2 footprint used to support online gambling, fraud, and money laundering. #VaultViper #UniverseBrowser

Keypoints

  • Infoblox and UNODC investigation identified Vault Viper (Baoying Group / BBIN) as an iGaming white-label operator servicing criminal online gambling and fraud networks across Southeast Asia.
  • Vault Viper distributes a modified Chromium-based “Universe Browser” that routes traffic through China, installs persistent binaries, modifies DNS, and includes features consistent with RATs and information stealers.
  • Technical analysis of the Windows installer (UB-Launcher.exe) revealed multiple binaries (UBMaintenanceservice.exe, UBService.exe, UBService networking) and extensions (Screenshot, lineSelector) that enable proxy routing, screenshots, geolocation checks, and hidden encrypted configuration retrieval.
  • Vault Viper operates a large DNS/C2 infrastructure (notably ac101[.]net and ASN WOODSNET-PH AS55547) and uses DNS TXT and 418-error pages to distribute encrypted keys and route updates to clients.
  • Evidence links Baoying/BBIN to the Suncity Group and Alvin Chau, and shows overlapping infrastructure and historical tooling with Vigorish Viper and other criminal ecosystems involved in money laundering, human trafficking, and large-scale fraud.
  • The Universe Browser disables browser security features (DevTools, chrome:// pages, sandboxing), alters user agents and resolvers (switching to Alibaba DNS), and may enable credential theft, traffic interception, and downstream targeted compromise.
  • Vault Viper’s infrastructure includes mobile apps (UBAuth and gambling apps), numerous domains and C2 IPs, and an extensive corporate shell network spanning multiple jurisdictions used to obscure ownership and operations.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The actor used Visual Basic scripts to modify DNS resolver settings on Windows hosts: “Example of VBS script in use in 2010 to change player’s DNS resolvers” (Const STR_NEWDNS1 = “114.114.114[.]114” … objNIC.SetDNSServerSearchOrder Array(…)).
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – Installer adds UB-Launcher.exe to startup registry to achieve persistence and launch UBMaintenanceservice.exe at boot (“installer will then achieve persistence by adding ‘UB-Launcher.exe’ to the startup registry, which proceeds to run ‘UBMaintenanceservice.exe’”).
  • [T1105] Ingress Tool Transfer – Installer downloads additional binaries and DLLs (Chrome installer and Application.7z) from actor-controlled domains (ac101[.]net and other domains) to %APPDATA%/local/UB before unpacking and installing them (“installer immediately checks the locale … before downloading the actual software … copying both to the %APPDATA%/local/UB folder”).
  • [T1218] Signed Binary Proxy Execution – The software replaces legitimate Chrome.exe with UB-Launcher.exe and invokes chrome_elf.dll at runtime to run modified Chrome functionality (“replace the Chrome.exe binary by ‘UB-Launcher.exe,’ turning a legitimate Chrome installation into the ‘Universe Browser’ … chrome_elf.dll … invoked at runtime”).
  • [T1056] Input Capture – Keylogging/Clipboard Monitoring – Universe Browser installs system hooks to monitor clipboard content and includes features consistent with key logging (“installer … introduces a number of persistent programs … changes to the network configurations … install system hooks to monitor clipboard content”).
  • [T1071.001] Application Layer Protocol: Web Protocols – UBService and extensions route user traffic through SOCKS5 proxies and remote proxy infrastructure, and use HTTP(S) endpoints and Google Analytics to send unique hardware IDs (“generate … UID … sent to Google Analytics … derived keys … used to set up Secure Shell (SSH) connections … advertised as SOCKS5 proxies”).
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Universe Browser disables DevTools and chrome:// pages and removes many browser functionalities to hinder analysis (“Some Chrome functionality is disabled, including Dev Tools and chrome:// pages … nearly every setting is inaccessible”).
  • [T1486] Data Encrypted for Impact / Encrypted Storage – UBService contains an encrypted SQLITE3 database and uses encrypted resources and keys hidden in 418 error pages and DNS TXT records to store and retrieve encrypted routing and configuration data (“large SQLITE3 table containing encrypted records” and “keys hidden on a 418 error page” used for decrypting updated routes).
  • [T1102.001] Web Service: DNS – The actor uses DNS TXT records and domain naming conventions to distribute encrypted keys and configuration, and relies on DDGA and many domains to manage routing (“the service then queries several static, hardcoded domains for DNS TXT records … DDGA domains … several encrypted keys … used to decrypt the updated routes”).

Indicators of Compromise

  • [SHA256] Windows installer – 0592aad472bbadeb6edc55573d7bcd2cff560504de5c94d8e1600188f143e523 (UB Windows installer)
  • [Domain] C2 / additional downloads – ac101[.]net (historical C2 and hosting of additional payloads), pb88[.]ac101[.]net (update checking endpoint)
  • [Domain] First-level C2 / advertisement pages – ub66[.]net, ub66[.]io, ub66[.]me (advertisement pages and first-level C2s)
  • [Domain] Proxy/DNS key distribution – g1uvvowzz2.bzta2gq4[.]com, hmbmmmuztj.wajn69nk[.]com (domains observed serving DNS TXT keys), and several xn-- punycode ub66 subdomains (e.g., xn--29s7ix44lsga.ub66[.]com)
  • [IP Address] Alibaba-hosted SSH/C2 IPs – 47[.]243[.]69[.]88, 47[.]243[.]172[.]76 (SSH/SOCKS5 proxy/C2 infrastructure), and 47[.]107[.]42[.]176 (additional Alibaba IP)
  • [Domain] Tunnel/download CDN and proxy domains – d1ko2n56twscbk.cloudfront[.]net, chu-shi-biao.s3-website.ap-northeast-2.amazonaws[.]com (proxy/CDN hosting for binaries)

Read more: https://blogs.infoblox.com/threat-intelligence/vault-viper-high-stakes-hidden-threats/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint