Member
- Joined
- Oct 14, 2023
- Messages
- 225
- Thread Author
- #1
Hackers use several types of attacks for each individual case.
In recent months, the Chinese information space has seen an increase in the activity of cyber attacks aimed at critical infrastructure facilities. One of the most disturbing phenomena was the discovery by experts from the Fuying Lab team of a new series of APT attacks by the Shuangyirat group. Over the past 6 months, the attackers have carried out complex cyber attacks, demonstrating a high level of hacking skills and the ability to cause significant damage.
Fuying Lab detected the use of unique tools by cybercriminals, which made it possible to identify the campaign as Double XOR Rat. The name comes from a characteristic communication encryption method that uses a double application of XOR encryption in the communication process.
The main targets of Double XOR Rat are leading state-owned enterprises, research institutes and government agencies. The group differs in that it gains access to systems by exploiting vulnerabilities to control a large number of public network devices and then scanning internal networks in detail to determine the value of each compromised target.
According to Fuying Lab, group attacks can be classified into three main types, each of which is adapted to the unique characteristics of the attacked systems.
First type of attack
It is based on exploiting vulnerabilities in Internet-accessible security devices to gain initial access to the system. After successful hacking, a Python HTTP server is activated on the captured devices to download additional malicious code, thereby expanding control over the system.
Experts describe the first type of attack as an intelligence operation that uses NetBIOS scanning tools to identify Windows hosts inside the network. Depending on the processor architecture of the target devices, NBTscan or Nextnet scanners are used to evaluate the potential of the target domain.
Second type of attack
It is characterized as a monitoring operation using a Trojan of the group's own development. The method is activated on devices that are of great value to hackers. The malware provides long-term communication with the compromised system, allowing attackers to monitor the state of devices and execute commands.
Third type of attack
It is the most specialized one and is used only in cases where the victim's domain contains mail service resources. After breaking into email servers, cybercriminals use them to distribute phishing emails, and the effectiveness of such attacks was significantly higher due to the use of whitelisted servers.
Investigators warn that the Double XOR Rat campaign continues to be an active threat, and urge companies to strengthen cybersecurity measures, including timely software updates and raising staff awareness of cyber threats.
In recent months, the Chinese information space has seen an increase in the activity of cyber attacks aimed at critical infrastructure facilities. One of the most disturbing phenomena was the discovery by experts from the Fuying Lab team of a new series of APT attacks by the Shuangyirat group. Over the past 6 months, the attackers have carried out complex cyber attacks, demonstrating a high level of hacking skills and the ability to cause significant damage.
Fuying Lab detected the use of unique tools by cybercriminals, which made it possible to identify the campaign as Double XOR Rat. The name comes from a characteristic communication encryption method that uses a double application of XOR encryption in the communication process.
The main targets of Double XOR Rat are leading state-owned enterprises, research institutes and government agencies. The group differs in that it gains access to systems by exploiting vulnerabilities to control a large number of public network devices and then scanning internal networks in detail to determine the value of each compromised target.
According to Fuying Lab, group attacks can be classified into three main types, each of which is adapted to the unique characteristics of the attacked systems.
First type of attack
It is based on exploiting vulnerabilities in Internet-accessible security devices to gain initial access to the system. After successful hacking, a Python HTTP server is activated on the captured devices to download additional malicious code, thereby expanding control over the system.
Experts describe the first type of attack as an intelligence operation that uses NetBIOS scanning tools to identify Windows hosts inside the network. Depending on the processor architecture of the target devices, NBTscan or Nextnet scanners are used to evaluate the potential of the target domain.
Second type of attack
It is characterized as a monitoring operation using a Trojan of the group's own development. The method is activated on devices that are of great value to hackers. The malware provides long-term communication with the compromised system, allowing attackers to monitor the state of devices and execute commands.
Third type of attack
It is the most specialized one and is used only in cases where the victim's domain contains mail service resources. After breaking into email servers, cybercriminals use them to distribute phishing emails, and the effectiveness of such attacks was significantly higher due to the use of whitelisted servers.
Investigators warn that the Double XOR Rat campaign continues to be an active threat, and urge companies to strengthen cybersecurity measures, including timely software updates and raising staff awareness of cyber threats.