Threat Research

MAR-10448362-1.v1 Volt Typhoon | CISA

CISA

CISA analyzed three artifacts linked to the PRC state-sponsored group Volt Typhoon: a Golang-based FRP client (FRPC) and FRP binary variants used to open reverse proxies, and a UPX-packed ScanLine port scanner. The FRPC samples attempted connections to 203[.]95[.]9[.]54 and BrightmetricAgent attempted 203[.]95[.]8[.]98, and contained configuration and plugin settings for token-authenticated, encrypted proxying. #VoltTyphoon #FRPC

Keypoints

  • CISA received three files from a critical-infrastructure compromise attributed to Volt Typhoon: FRPC (FRProxy client), a Go-based FRP binary (BrightmetricAgent.exe), and the ScanLine port scanner.
  • The Go-based FRP binary (BrightmetricAgent.exe) is UPX-packed, includes KCP support for UDP-based streams, multiplexer libraries, and a CLI that can invoke PowerShell, WMI, and zsh.
  • One FRPC build (SMSvcService.exe) contains a configuration pointing to server_addrs 203[.]95[.]9[.]54 on ports 8443 with token-based auth, TLS enabled, and a socks5 plugin exposing a remote_port 1080.
  • ScanLine is a UPX-packed command-line port scanner used to scan TCP/UDP ports, grab banners, resolve hostnames, and bind to specified ports/IPs.
  • Observed IOCs include three SHA256 hashes (samples), two IP addresses (203[.]95[.]8[.]98, 203[.]95[.]9[.]54), and the domain pdsguam.biz associated with the proxy infrastructure.

MITRE Techniques

  • [T1090] Proxy – Use of FRP to expose internal servers and relay connections: [‘This utility can be used to locate servers behind a network firewall or obscured through NAT.’]
  • [T1046] Network Service Discovery – Active scanning for open ports using ScanLine: [‘This artifact is a command-line port scanning utility … used to scan for open UDP and TCP ports, grab banners from open ports, resolve IP addresses to host names, and bind to specified ports and IP addresses.’]
  • [T1059] Command and Scripting Interpreter – FRP binaries include CLI libraries that can leverage system shells for command execution: [‘command line interface (CLI) library that can leverage command shells such as PowerShell, Windows Management Instrumentation (WMI), and Z Shell (zsh).’]
  • [T1027] Obfuscated Files or Information – Samples packed with UPX to hinder analysis: [‘packed using Ultimate Packer for Executables (UPX)’]
  • [T1071] Application Layer Protocol – C2 and proxy communications over TCP/UDP/HTTP/HTTPS (and KCP over UDP): [‘Transmission Control Protocol (TCP) … User Datagram Protocol (UDP) … HTTP … HTTPS’ and ‘includes the KCP … protocol that allows for … delivery of data streams using the User Datagram Protocol (UDP)’]

Indicators of Compromise

  • [SHA256] Submitted sample hashes – edc0c63065e88ec96197c8d7a40662a15a812a9583dc6c82b18ecd7e43b13b70, 99b80c5ac352081a64129772ed5e1543d94cad708ba2adc46dc4ab7a0bd563f1, and 1 more hash
  • [File Name] Sample filenames – BrightmetricAgent.exe (edc0c63…), SMSvcService.exe (99b80c5a…)
  • [IP Address] C2 / proxy infrastructure – 203[.]95[.]8[.]98 (BrightmetricAgent attempted connection), 203[.]95[.]9[.]54 (FRPC server_addr entries)
  • [Domain] Associated domain (WHOIS) – pdsguam.biz (nameservers ns.pdsguam.biz / ns2.pdsguam.biz)

The technical artifacts include a UPX-packed Golang implementation of FRP (BrightmetricAgent.exe) and a separate FRPC build (SMSvcService.exe) compiled for Windows. BrightmetricAgent.exe implements FRP server/client features with KCP support for UDP-based, error-checked, encrypted streams, multiplexing libraries for bi-directional NAT traversal, and a CLI capable of invoking PowerShell, WMI, or zsh. By default BrightmetricAgent.exe is configured to contact 203[.]95[.]8[.]98 on TCP port 1080 and requires a specially formed packet from its C2 to fully deploy.

The FRPC build (SMSvcService.exe) contains a standard FRP configuration that lists server_addrs = 203[.]95[.]9[.]54 and server_ports = 8443 with token-based authentication and TLS enabled; it also includes a plugin_socks5 configured to expose remote_port 1080 with encryption and compression enabled. The FRPC binary supports TCP, UDP, HTTP, and HTTPS transports, and provides command-line subcommands and flags (tcp, udp, verify, –config, –token, –tls_enable, –ue, –uc) to launch and validate proxy connections.

ScanLine is a UPX-packed, command-line port scanner used to enumerate open TCP/UDP ports, capture banners, resolve hostnames, and bind to addresses. Combined, these tools allow an operator to discover internal services behind NAT/firewalls, create reverse-proxy tunnels to those services, and interact with them remotely via authenticated, encrypted channels. Observed IOCs: three sample SHA256 hashes, IPs 203[.]95[.]8[.]98 and 203[.]95[.]9[.]54, and the domain pdsguam.biz associated with the proxy infrastructure.

Read more: https://www.cisa.gov/news-events/analysis-reports/ar24-038a

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint