Threat Research

Exploring the Open Directory of the “You Dun” Threat Group

TheDFIR

An open directory analysis uncovered a Chinese-speaking threat actor toolkit linked to “You Dun,” revealing extensive scanning, web exploitation, and post-exploitation tooling (WebLogicScan, Vulmap, Xray, SQLmap, dirsearch). The findings map out their use of Cobalt Strike and the Viper C2 framework (with TaoWu and Ladon extensions), a leaked LockBit 3 ransomware builder, and activity encompassing data sales, DDoS, and ransomware deployment. #YouDun #WebLogicScan #Vulmap #Xray #SQLmap #dirsearch #CobaltStrike #TaoWu #Ladon #LockBit #Telegram #DarkCloudShieldTechnicalTeam #ZhiyuanOA #WPCargo #CVE-2021-25003

Keypoints

  • Threat actor identified as “You Dun,” a Chinese-speaking group.
  • Reconnaissance and exploitation used tools like WebLogicScan, Vulmap, Xray, SQLmap, and dirsearch across multiple targets.
  • Evidence of successful exploitation of Zhiyuan OA software and other vulnerable servers.
  • Cobalt Strike and Viper C2 framework found in the open directory, including TaoWu and Ladon extensions.
  • LockBit 3 ransomware builder was used to create a custom payload with a ransom note referencing a Telegram group.
  • Threat activities include data sales, DDoS, and ransomware deployment; C2 infrastructure tracked via multiple IPs and Telegram groups.
  • Targets span several countries (Korea, China, Thailand, Taiwan, Iran) with country-specific target lists.

MITRE Techniques

  • [T1071] Application Layer Protocol – Used for command and control communications. ‘Used for command and control communications.’
  • [T1486] Data Encrypted for Impact – Encryption of files to prevent access by victims. ‘Encryption of files to prevent access by victims.’
  • [T1068] Exploitation for Privilege Escalation – Exploiting vulnerabilities to gain elevated privileges. ‘Exploiting vulnerabilities to gain elevated privileges.’
  • [T1190] Exploit Public-Facing Application – Targeting web applications to gain initial access. ‘Targeting web applications to gain initial access.’
  • [T1105] Ingress Tool Transfer – Transferring tools to the compromised environment. ‘Transferring tools to the compromised environment.’
  • [T1595.002] Vulnerability Scanning – Scanning for vulnerabilities in target systems. ‘Scanning for vulnerabilities in target systems.’
  • [T1071.001] Web Protocols – Using web protocols for command and control. ‘Using web protocols for command and control.’
  • [T1595.003] Wordlist Scanning – Using wordlists to identify potential targets. ‘Using wordlists to identify potential targets.’

Indicators of Compromise

  • [IP Address] Proxy/back end infrastructure – 43.228.89.245, 116.212.120.32
  • [IP Address] Targeting and access activity – 101.36.124.183
  • [Domain/URL] fgfg.bcfnwg.cc – beacon domain
  • [Domain/URL] t.me/You_Dun – Telegram channel linked to the group
  • [File Hash] LB3.exe – SHA256: 07104f9be906e62be7539e4f81d980dddb480d64dce204c199a2afe5a0bc3367
  • [File Hash] YeNoenXSQB.exe – SHA265: fa301a12655598b9266a8315ac7f48da4f79ed4ea39273e57ac08b8c66b6fced
  • [File Name] 红队版.zip – file in the open directory (Cobalt Strike kit)
  • [SSH Fingerprint] SSH Fingerprint for OpenDir – 1192d660e36e9b6f671a22a1ed1adb50f752ca986885ecfffdbbf3967e8ff9c1

Read more: https://thedfirreport.com/2024/10/28/inside-the-open-directory-of-the-you-dun-threat-group/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint