Reversed C2 traffic from China

Published: 2018-05-11
Last Updated: 2018-05-11 11:53:06 UTC
by Remco Verhoef (Version: 1)
1 comment(s)

For the past few months, we've seen some intriguing data coming from 3 separate ip addresses from within China. The payload of this traffic seems to be generated by well known remote access tooling njRAT and Gh0st and destined to their C2 server. Normally you would not expect any C2 traffic in honeypots, except in the case of ip address reusal where you got an ip address which has been used as C2 before. As we have catched this traffic in multiple honeytraps, someone must be scanning the internet with this payload. There are many different destination ports targeted, so far we have seen ports 991, 1050, 1122, 1177, 1188, 1190, 1199, 3460, 12345, 1627, 3311, 5552, 5568, 8484, 8844, 8899, 33369, 42091.

The ip addresses we have seen so far are, and Those ip addresses have a webserver running, containing the message: "Y-Team is a network security team, which focus on internet-wide network attack events." with contact information.  It seems that they are searching for active C2 servers. 

The payloads that have being used are interesting and similar to other njRAT payloads:

lv|'|'|SGFja2VkXzYx|'|'|DG-69JK87|'|'|root|'|'|2018-02-06|'|'|AKM|'|'|Windows 7 SP1|'|'|Yes|'|'|0.6|'|'|577|'|'||'|'|',[endof]
lv|'|'|bmtfc3VydmlsbGVuY2VfYTE4|'|'|RS-X4FA66|'|'|root|'|'|2018-02-06|'|'|DPRK|'|'|Red Star OS X|'|'|Yes|'|'|1.0|'|'|577|'|'||'|'|',[endof]

If you extract the interesting parts of the payload:

bmtfc3VydmlsbGVuY2VfYTE4 nk_survillence_a18 (this is a unique identifier for the encrypted system, combined of the name of the campaign and a identifier)
SGFja2VkXzYx SGFja2VkXzYx -> Hacked_61 (this is also a campaign identifier)
DG-69JK87 computer name
root user name
2018-02-06 date modified of the malware
DPRK locale


report if there is a camera available

0.6 and 1.0 malware version


Another payload we've seen is the base64 encoded string: a2ltam9uZ3VuaXN2ZXJ5aGFwcHk=, which decodes to kimjongunisveryhappy.

The payloads contain a lot of references to North Korea, like nk_survillence_a18, DPRK (Democratic People's Republic of Korea), Red Star OS X (which is the North Korean OS that looks like Apple OS X). Y-Team is doing efforts to make the traffic appear to be generated by an infected North Korean machine. 

Besides our honeytraps, AbuseIPDB contains entries with the same traffic.

Previously, we have seen the same hosts scanning with different payloads:

* /?CAVIT (scanning for Trend Micro OSCE clients on port 12345) 
* / on port 80
* / on port 8081
* /NetSyst81.dll on port 4545

Do you have extra information regarding this diary? Or do you have different views? Please let us know.


1 comment(s)
ISC Stormcast For Friday, May 11th 2018


Diary Archives