Threat Research

Sustained Campaign Using Chinese Espionage Tools Targets Telcos

Securonix

The article details a sustained telecom-targeted espionage campaign that leverages Chinese-espionage tools (Coolclient, Quickheal, Rainyday) linked to groups Fireant, Needleminer, and Firefly, using DLL side-loading, memory patching, and encrypted payloads to deploy backdoors. It also outlines a range of tactics (keylogging, port scanning, credential dumping, Responder, RDP enabling) and a broad set of IOCs (hashes, domains, IPs) associated with the operation. #Coolclient #Quickheal #Rainyday #Fireant #Needleminer #Firefly #swiftandfast

Keypoints

  • DLL side-loading and masquerading are used to drop backdoors (e.g., libvlc.dll masquerading with googleupdate.exe) to load a loader and staged payloads.
  • Three main backdoors are identified, each tied to a Chinese espionage group: Coolclient (Fireant), Quickheal (Needleminer), and Rainyday (Firefly).
  • Rainyday employs sideloading with loaders like fspmapi.dll or security.dll, memory patching, and payload decryption/execution as shellcode, with variations using nod193100 and different XOR keys.
  • Quickheal is a 32-bit DLL (RasTls.dll) with an export named GetOfficeDatatal, communicating with a hardcoded C2 swiftandfast.net over TCP port 443.
  • In addition to backdoors, attackers deployed keylogging, multiple port-scanning tools, credential dumping via registry hives, Responder (LLMNR/NBT-NS/mDNS poisoner), and enabling RDP.
  • Links to Chinese espionage groups are noted: Coolclient with Fireant, Quickheal with Needleminer, and Rainyday with Firefly, with broader assessments of these actors operating from China.
  • Indicators of Compromise (IOCs) include multiple file hashes, the domain swiftandfast.net, and numerous IP addresses associated with the campaign.

MITRE Techniques

  • [T1574.002] DLL Side-Loading – Masquerading via googleupdate.exe to sideload a loader (libvlc.dll) and load encrypted payloads from loader.ja and goopdate.ja, then inject into winver.exe. “A version of the legitimate VLC Media Player masquerading as a Google file (googleupdate.exe) was used to sideload a Coolclient loader (file name: libvlc.dll). The loader reads an encrypted payload from a file named loader.ja. This payload will in turn read a second encrypted payload from a file named goopdate.ja and inject it into the winver.exe process.”
  • [T1055] Process Injection – Payload injected into the winver.exe process. “inject it into the winver.exe process.”
  • [T1027] Obfuscated/Decoded Data – Payloads are decrypted before execution (loader.ja, goopdate.ja) and shellcode is decrypted/executed; XOR-based decryption used in variants. “decrypts the payload with a single byte XOR key (0x2D) and executes it as shellcode.”
  • [T1574.002] DLL Side-Loading – Rainyday’s loader is sideloaded via fspmapi.dll using fsstm.exe, with memory patching to hijack execution flow. “the loader patches its memory image” to hijack execution and reads dataresz, decrypts with XOR 0x2D, and runs shellcode.”
  • [T1056.001] Keylogging – Keylogging malware used by the attackers. “Keylogging malware, possibly custom-developed.”
  • [T1046] Network Service Scanning – Port scanning using at least three distinct port-scanning tools. “Port scanning: At least three distinct port-scanning tools were deployed.”
  • [T1003.002] Credential Dumping: Registry – Credential theft through the dumping of registry hives. “Credential theft through the dumping of registry hives.”
  • [T1557.001] Adversary-in-the-Middle (LLMNR/NBT-NS/mDNS Poisoning) – Responder tool used to poison LLMNR/NBT-NS and multicast DNS. “Responder: A publicly available tool that acts as a LLMNR NetBIOS Name Service (NBT-NS) and multicast DNS (mDNS) poisoner.”
  • [T1021.001] Remote Services – Enabling RDP for remote access. “Enabling RDP.”

Indicators of Compromise

  • [Hash] File hashes – 089809e73354648b3caed7db6bc24dcce4f2ef0f327206fd14f36c6619d9ed30, 1906e7d5a745a364c91f5e230e16e1566721ace1183a57e8d25ff437664c7d02, and 9 more hashes
  • [Domain] Domain used for C2 – swiftandfast.net
  • [IP] IP addresses – 103.180.161.123, 110.34.166.198, and 28+ more
  • [Filename] Suspicious file names – loader.ja, goopdate.ja, libvlc.dll, fspmapi.dll, msproxy.exe, security.dll, nod193100, iReports
  • [Process] Related processes – winver.exe, googleupdate.exe, fsstm.exe, ProxyChecker.exe

Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/telecoms-espionage-asia

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint