For years now, Chinese state-aligned hackers have been spying on telecommunications companies in Central Asia and beyond, using a newly discovered Linux post-exploitation framework.

The malware is called “Showboat,” or “kworker.” Black Lotus Labs observed different clusters of Showboat activity against totally dissimilar targets — from an Internet service provider (ISP) in Afghanistan to an unknown IP in the disputed Donbas region of eastern Ukraine — suggesting that Chinese advanced persistent threats (APTs) are trading it around.

At least one of those APTs is Calypso, according to PricewaterhouseCoopers (PwC). First observed in 2019, Calypso is one of China’s lesser-discussed espionage groups, perhaps because its activity occurs in countries where Western cybersecurity companies have less visibility on average: Afghanistan, Kazakhstan, Turkey, and India, for example. Calypso uses Showboat alongside a Windows backdoor of roughly similar sophistication, called “JFMBackdoor.”

Related:Tropic Trooper APT Takes Aim at Home Routers, Japanese Targets

The Showboat Exploitation Framework

Showboat is a useful but unexceptional spy tool, which makes it all the more surprising that Chinese threat groups have used it in total secrecy, gathering what might amount to serious geopolitical intelligence for four years running.

Its most significant trick, arguably, is its ability to scan for and then infect devices on a local area network (LAN) that aren’t otherwise connected to the public Internet. “So if you do happen to find this in your network, there’s probably a whole lot of other bad stuff in the network, and you’re about to have a very long weekend,” says Danny Adamitis, principal information security engineer at Black Lotus Labs.

Though perfectly capable, Showboat hardly goes toe-to-toe with China’s top-of-the-line telco malware. BPFdoor, for example, is an expert in living-off-the-land, almost imperceptibly concealing its command-and-control (C2) traffic in HTTPS requests and Internet Control Message Protocol (ICMP) pings. In Adamitis’ assessment, Showboat “is not the best backdoor I’ve ever seen. To me this feels like almost a newer version of a ShadowPad where it’s just [notable for] kind of cool capabilities.”

Yet Showboat’s banality could be as much a design feature as a flaw. After all, why invest in a highly complex, bespoke tool when something simple and easy gets the job done? Evidence suggests that the malware has been around since at least mid-2022, but by the time the researchers got to it this year, it registered a grand total of zero detections on VirusTotal (VT): as little as any ultra-stealthy, bespoke, native spy multitool that even the best Typhoon has access to.

Related:Africa Relinquishes Cyberattack Lead to Latin America — For Now

“You don’t necessarily always have to write your backdoors exclusively in assembly and do a weird matching packet thing over ICMP,” Adamitis says. “It appears as though they’re still having a moderate degree of success with something that, in my mind, is a little bit more run of the mill.”

Where Showboat isn’t the right tool, the threat actors that use it can dip into a pool of malware shared broadly among Chinese threat actors. “Red Lamassu (a.k.a. Calypso) has historically used PlugX, a malware family widely shared and reused across multiple China-based threat actors,” notes PwC threat intelligence analyst Daniel van Apeldoorn. These days, he adds, “it can tailor its toolset, deploying a Linux backdoor in Linux-heavy environments (such as telecommunications infrastructure, which often runs on Unix-based systems) and a Windows backdoor when targeting corporate or enterprise environments where Windows is dominant.”

China’s Malware Experiments

Black Lotus Labs researcher Ryan English expands on Adamitis’ point. “What China likes to do is they’ll designate certain parts of the world as kind of a laboratory. They’ll test [malware] against perfectly updated virtual systems, then they’ll bring it out into the real world in a small market test. Does this work against that bank in Africa? Does this work against that telco in Vietnam? And if it does, they’re feeling more confident to bring it out to more serious targets.”

Related:Russia’s Forest Blizzard Nabs Rafts of Logins via SOHO Routers

At least some of the data seems to support the interpretation that Showboat was conceived of as a small market solution.

Black Lotus Labs tracked multiple, apparently separate Chinese threat clusters passing it around, without committing to it for long, high-value campaigns against any targets of supreme value. For example, one threat cluster seemed to use Showboat rather randomly, connecting at different times to IP addresses in the US and in the Donbas region. Another deployed it against organizations in countries with less mature cybersecurity on average: an ISP from Afghanistan, and other unnamed victims in Azerbaijan and the Middle East. Meanwhile, the Calypso activity tracked by PwC targeted a telecommunications provider in Afghanistan.

English speculates that Showboat might have found success in these smaller markets. “Somebody said: Perfect is the enemy of good enough. And they let it run. I think that they were probably being economical with that.”





Source link

#

Comments are closed