A low- cybercriminal operation, Silver Fox / UTG-Q-1000, distributes counterfeit software via SEO channels. However, behind the scenes lies an organizational structure resembling foreign Malware-as-a-Service (MaaS), composed of multiple distributors. These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Ghost and WinOS trojan families. In mid-, a Ghost distributor delivering a highly modular special trojan written in Rust to specific targets was detected.
The trojan is named MODBEACON and its victim targeting is highly customized, spanning sectors including technology, education, and state-owned enterprises. MODBEACON's requested C2 domains are hosted on Amazon CDN and Cloudflare CDN. The trojan is a professional and private C2 framework with a high overall engineering quality.[/subscribe_to_unlock_form]
A low- cybercriminal operation, Silver Fox / UTG-Q-1000, distributes counterfeit software via SEO channels. However, behind the scenes lies an organizational structure resembling foreign Malware-as-a-Service (MaaS), composed of multiple distributors. These distributors conduct activities across Asia using counterfeit software installers distributed through SEO campaigns, leveraging variants of Ghost and WinOS trojan families. In mid-, a Ghost distributor delivering a highly modular special trojan written in Rust to specific targets was detected.
The trojan is named MODBEACON and its victim targeting is highly customized, spanning sectors including technology, education, and state-owned enterprises. MODBEACON's requested C2 domains are hosted on Amazon CDN and Cloudflare CDN. The trojan is a professional and private C2 framework with a high overall engineering quality.[emaillocker id="1283"]
The Ghost distributor conducts "black-on-black" operations targeting Cambodia's gambling industry. Its motives can no longer be explained by purely economic objectives, suggesting outsourced political intent behind its activities. The Qianxin SkyEye "Liuhe" Advanced Threat Defense Engine is capable of intercepting MODBEACON stage shellcode.
| Tactic | Technique Id | Technique | Sub-technique |
|---|---|---|---|
| Initial access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Persistence | T1543.003 | Create or Modify System Process | Windows Service |
| Defence Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Command and control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and control | T1571 | Non | Standard Port- |
| Command and control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
| Objective | Behavior ID | Behavior |
|---|---|---|
| Command & Control | B0030 | C2 Communication |
| Impact | B0022 | Remote Access |
| Execution | E1204 | User Execution |
| Execution | B0023 | Install Additional Program |
| Defense Evasion | B0029 | Polymorphic Code |
| Anti-Behavioral Analysis | B0003 | Dynamic Analysis Evasion |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Exfiltration | E1020 | Automated Exfiltration |
| Discovery | E1083 | File and Directory Discovery |
The following reports contain further technical details:
[/emaillocker]