Multi-hopping in reversed SOCKS – the usage of open source proxies by Chinese threat actors
Our organization has recently discovered a targeted espionage campaign that has likely persisted since at least March of 2021. The activity specifically targets a Saudi non-profit organization and evades detection by injecting custom malicious backdoors, named ‘zar32.dll’ and ‘zor32.dll’ into the process ‘rundll32.exe’ for maintaining persistence. Although some observed TTPs were similar to the TTPs previously discovered by Symantec and attributed to a new threat actor Lancefly, we decided to attribute the discovered activities to a new actor we named Zazor, based on the specific file names used for their implants.
Although the initial access vector was unknown, we observed Zazor establishing command and control (C2) infrastructure using various customized reverse proxy tools such as Fast Reverse Proxy (frp), sSocks and Venom as well as the set of custom implants. The usage of open source reverse proxies by Chinese actors has been noted previously in research by Ahnlab, Symantec and Cisco Talos. We specifically mentioned the usage of Fast Reverse Proxy together while documenting the discovery of the Alchimist post-exploitation framework in October 2022.
This presentation will introduce the attendees into the world of proxy tools commonly used by Chinese threat actors. We will document their history, their basic and more advanced functionality as well as their significance for threat actors. We will discuss in depth the most notable recent campaigns with the emphasis on comparing the tools and techniques exhibited in the attacks. Here, the focus will be on Zazor, as it is a previously unknown threat actor using a specific set of implants. We will discuss the functionality of the newly discovered implants in detail as well as the infection chain we discovered. We will compare Zazor’s TTPs with the activities of Dalbit, Lancefly and other actors commonly using open source proxy tools.
The attendees should leave the session armed with the knowledge that will help them to recognize malicious usage of reverse proxies as well as the known Chinese threat actors employing them.
Mr. Vanja Svajcer
Vanja Svajcer works as a Technical Leader at Cisco Talos. He is a security researcher with more than 20 years of experience in malware research, cyber threat intelligence and detection development.
Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks all the time spent hunting in telemetry data to find new attacks is well worth the effort. He presented his work at conferences such as Virus Bulletin, RSA, CARO, AVAR, BalCCon and others.