Threat Advisory

MODBEACON Trojan Targets Specific Victims with Customized Malware Delivery

Threat: Malware Campaign
Threat Actor Name: Silver Fox Ghost Distributor
Targeted Region: Asia
Targeted Sector: Technology & IT, Education
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A low- cybercriminal operation, Silver Fox / UTG-Q-1000, distributes counterfeit software via SEO channels. However, behind the scenes lies an organizational structure resembling foreign Malware-as-a-Service (MaaS), composed of multiple distributors. These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Ghost and WinOS trojan families. In mid-, a Ghost distributor delivering a highly modular special trojan written in Rust to specific targets was detected.

The trojan is named MODBEACON and its victim targeting is highly customized, spanning sectors including technology, education, and state-owned enterprises. MODBEACON's requested C2 domains are hosted on Amazon CDN and Cloudflare CDN. The trojan is a professional and private C2 framework with a high overall engineering quality.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A low- cybercriminal operation, Silver Fox / UTG-Q-1000, distributes counterfeit software via SEO channels. However, behind the scenes lies an organizational structure resembling foreign Malware-as-a-Service (MaaS), composed of multiple distributors. These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Ghost and WinOS trojan families. In mid-, a Ghost distributor delivering a highly modular special trojan written in Rust to specific targets was detected.

The trojan is named MODBEACON and its victim targeting is highly customized, spanning sectors including technology, education, and state-owned enterprises. MODBEACON's requested C2 domains are hosted on Amazon CDN and Cloudflare CDN. The trojan is a professional and private C2 framework with a high overall engineering quality.[emaillocker id="1283"]

The Ghost distributor conducts "black-on-black" operations targeting Cambodia's gambling industry. Its motives can no longer be explained by purely economic objectives, suggesting outsourced political intent behind its activities. The Qianxin SkyEye "Liuhe" Advanced Threat Defense Engine is capable of intercepting MODBEACON stage shellcode.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial access T1566.002 Phishing Spearphishing Link
Execution T1059.006 Command and Scripting Interpreter Python
Persistence T1543.003 Create or Modify System Process Windows Service
Defence Evasion T1027.002 Obfuscated Files or Information Software Packing
Command and control T1071.001 Application Layer Protocol Web Protocols
Command and control T1571 Non Standard Port-
Command and control T1573.001 Encrypted Channel Symmetric Cryptography
Exfiltration T1041 Exfiltration Over C2 Channel -

MBC MAPPING:

Objective Behavior ID Behavior
Command & Control B0030 C2 Communication
Impact B0022 Remote Access
Execution E1204 User Execution
Execution B0023 Install Additional Program
Defense Evasion B0029 Polymorphic Code
Anti-Behavioral Analysis B0003 Dynamic Analysis Evasion
Anti-Static Analysis E1027 Obfuscated Files or Information
Exfiltration E1020 Automated Exfiltration
Discovery E1083 File and Directory Discovery

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu