Preface
Recently, 360 Internet Security Center monitored a network hijacking Trojan spread on a large scale in many Internet cafes and university computer rooms. The Trojan started to spread in China in September 2018, and will steal user privacy by tampering with network settings, hijacking client network data, monitoring QQ chats, etc.
Through further traceability analysis, it was found that in the attacked Internet cafe or school computer room environment, a software called "Ruiqi Diskless System (Dead Advertising Version)" was used. It is the software that is used to implant a "Xinge Trojan" with a hijacking function into the user's computer. According to the data statistics we have, at least 60 Internet cafes and 9 universities have been affected, with more than 9,000 websites hijacked, and information such as user QQ number and chat record files will be obtained. The Trojan ultimately made huge profits by hijacking websites, jumping navigation, and revoking games.
Trojan analysis
Through this ad-deprecated version of diskless system , a Trojan named AD_xxxxx_UID.exe will be issued:
Trojan file information
Trojan realizes network hijacking by tampering with DNS and Hosts, and its operating relationship is as follows:
Execution process simple Figure
game menu interface diagram
installation process
"Sharp Rapid" server program releases the relevant files, and it will be updated to the client's client program to execute, resulting in all machines in the entire diskless network system being hit. After the client's game menu program is started, it will read the Autorun startup item configured in the MenuScreenConfig.xml file and automatically execute. The startup sequence is as follows: TopTen\menu.datà RichtechGameTool.exeàProgramlog.exeàAD_xxxxx_UID.exe, finally executes the Trojan program. In order to achieve the purpose of covering up, the Trojan program also copies itself to the directory of common game software such as Tencent TGP and Adobe and executes:
Copy the Trojan program to Adobe and TGP directory code fragments
hijacking website
The final execution of the Trojan will generate a script "Tencent.vbs" locally based on cloud data. After running the script, it will hijack by tampering with the DNS and Hosts files. At the same time, the Trojan will also return user information to the cloud server database, and the information returned includes: machine name, MAC address, intranet IP, external network IP, etc.
Trojan gets the content to be hijacked from the cloud database
The landing page after hijacking will request the corresponding display content in the server database according to the corresponding UID. If there is an error in obtaining this step, it will jump to the 2345 navigation page with channel number (k1828680). In the page it displays, even codes are used to type words like "Artificial intelligence is the core technology of its development" in the browser console:
Text displayed in the browser console:
console output code in web page code
record QQ information
Trojan also records QQ information on the machine, specific information includes: IP address, machine name, login time, offline time, QQ number, QQ chat record file, record time, etc.
Trojan record QQ information
Trojan background data
According to the backend statistics we obtained, we can see that a total of 75,000 computers were hijacked, and these computers reported about 2.2 million data (as of January 16, 2019):
Back-pass information database
Some affected Internet cafes and school information
Through statistics on the IPs in the database, it was found that the IP in Guangdong accounted for as high as 45.02%, followed by Hunan 6.78%, Jilin 4.98%, Henan 4.8%, and Guangxi 4.52%.The specific distribution is shown in the figure below:
Regional Distribution Map of the infection device
Traceability Information
Based on the analysis of the information in the database, we found that the Trojan gang used a multi-level proxy mode to spread the Trojan, and the domain names that store the hijacked pages were all registered in the name of "Zhenjiang** Network Technology Co., Ltd.":
agent information in the database
stores domain name registration information for hijacking page
According to the public information, we can query the company's main personnel and corporate structure diagram:
Zhenjiang ** Network Technology Co., Ltd.'s corporate structure and main person in charge
summary
Currently, it is monitored that the Trojan is mainly implanted with Trojans used to hijack websites and monitor QQ communications. Subsequent attackers may issue more malicious programs: such as account theft Trojans, ransomware, mining programs, etc. to make profits. This type of diskless system generally includes multiple computers. Once the host is hit, the entire network will be affected.
360 Internet Security Center reminds:
1. When surfing the Internet in public environments such as Internet cafes, you should pay special attention and try to choose to scan the QR code to log in to avoid entering passwords.
2. Try to avoid using online banking in such public environments, operating data involving personal sensitive information, etc.
3. Network managers can check DNS and HOST to see if the machine has been tampered with, or they can install 360 Security Guard to detect and kill such Trojans.
MD5:
b41b87a494dcace1e80d2bb799e27779
ad911af95d591edbff0ffe95b2c9d2b5
9166dc84fb69f1d628e7ec8dbe1dd905
8cbe3c789dde4016fb23c7df3a8d33a0
Hosts/IP hijacking list:
http://www.ntxxz[.]cn/public/conf/dns_chuanqi.hosts
DNS:
47.97.123[.]210
*Author of this article: 360 Security Guard, please indicate it from FreeBuf.COM
