Earlier this month when I was troubleshooting performance issues on my computer, I found that the
#WMI
host process WmiPrvSE.exe was consistently using about 5% of my CPU. This led me to investigate what was causing it and going down a rabbit hole and issuing a fix.
🧵(1/)
Some of these software features includes obtaining the user's Twitter email and phone number, realtime monitoring, publishing tweets on their behalf, reading DMs.
Twitter monitoring system - dated 2022
The system is designed to monitor a user's top 5 posts, IP address hotspots (more on that later), latest posts.
This system is also used to remote control accounts to make posts, retweet, comment, etc.
Custom RAT built for Windows x64/x86 with features such as process/service/registry management, remote shell, keylogging, file access logging, obtaining system info, disconnect, uninstallation.
An iOS version also... exists somehow, and they claim that this supports all iOS versions. Includes features such as gathering hardware information, GPS data, contacts, media files, and real-time audio record.
No jailbreak required.
I won't talk about this in detail since it contains very sensitive details, but it's basically a bunch of sensitive call logs and call data specifically stolen from the affected telecommunication providers. The type of stuff that not even most workers normally have access to.
This is the weirdest of them all - a WiFi-capable device that can inject into the targeted... Android devices via WiFi? The device is said to be portable, plug and play, supports 3G and 4G. After a successful injection, it can get device info, GPS, SMS, contacts, call log, files
TBs of data stolen from Pakistan, Kazakhstan, Kyrgyzstan, Malaysia, Mongolia, Nepal, Türkiye, India, Egypt, France, Cambodia, Rwanda, Nigeria, Hongkong, Indonesia, Vietnam, Myanmar, Philippines, Afghanistan
Android version also exists, supporting Android 6.0 and above. Features include obtaining system information, GPS, contacts, SMS, call logs, browser history, app list, real-time audio recording, process list, camera, WiFi list, screenshot, keylogging, and system info.
Few interesting tidbits for the Android one
- Ability to dump messages from QQ, WeChat, and MoMo - all popular Chinese IM apps (requires root)
- Ability to keylog specifically QQ, WeChat, Momo *AND* Telegram.
- Ability to elevate as system app for persistence (requires root)
Linux version also exists that specifically supports CentOS 5/6/7 & Ubuntu 12/14. Oddly old versions of these distros. Features include remote shell, file management, Socks5 proxy via SocksCap64, port reuse. Controller appears to be named "TracedStone"
I think the thread blowing up is both a curse and a bless: people are finally now realizing that the APT operations have been ongoing for ages. If it weren't for the leak, I could have probably never revealed just how wide of an impact they've been causing over the last few years
With that, I think that wraps up almost everything in the leak. This leak is the most impactful piece of intel I've ever seen in my short three years of working in the industry. A lot of the times we could mostly speculate on how it looks like on the inside of these operations.
Another one: "WiFi Near Field Attack System," with a Standard and Mini edition. The standard version can be installed on a specifically crafted device and be used to infiltrate the internet network... somehow. It doesn't explain.
The Mini version is said to be able to disguise as a power strip, power adapter etc. and can be set up to connect to target WiFi and establish a SOCKS tunnel with the internal network.
A lot of people expressed positive interest in the malware lecture thing, so I'm thrilled to announce that I will be doing a test run of a lecture-styled stream where I'll be going over malware-related stuff for beginners that want to learn about how malware and things work in…
This vtuber was once a history professor, and recently did a history lecture on stream.
It's really cool to all types of knowledge being shared through the vtuber community.
Imagine if more educators were vtubers.
Perhaps this is the future of educational content.
The problem is that this was *not* the first time I've seen people make poor use of WMI. It is usually the easiest way to get certain information, but most definitely not the most efficient - the issue is it gets worse the moment you try to spam the calls.
It's a bit offending when people outside of the field call my coverage some machine translated/AI generated garbage. I've been in the field for multiple years and have held multiple presentations and talks about Chinese APTs.
ah great it also contains population data including their names, email, address, and phone number
doesn't really state where it's from but great, good to know
I offered a fix just now, which makes it so that it uses the native Win32 API to get process name via the PID instead of having to do a roundabout trip to WMI. The performance improvement from my PoC made the call count go from ~2400 calls to a mere 17.
The Standard edition can be used to crack WiFi passwords, LAN port sniffing, SOCKS tunnel, port projection, remote shell, file management, and remote detonation (self-destruct).
Next chapter, they also have a DDoS system. The botnet client is 29kb sized and can be deployed on to Windows, Linux, or generic IoT devices with the total throughput of 10~100Gbps (or GBps? not specified).
The chatlogs are extremely fascinating as they provide a much broader view of how people are making money off of attacking critical government agencies. I'm seeing quotes and prices all in these chatlogs over intel/data from these hacked institutions.
The standard version comes with 4G ability, 8GB eMMC, dual core 1.2GHz ARM processor, 10000 mAh battery, whilst the mini version runs on MIPS with 128MB of DDR2(?) and does not contain a battery.
> been hiding my follower count on desktop client with Twitter Control Panel
> only occasionally catches a glimpse of follower count
> last I checked it was 380
> *checks phone 12 hours after the coverage*
> almost a 3k
what
Product stack designed for spying on users using Chinese social media, including Weibo user details lookup (email/phone), historic IP address lookup, user detail lookup via the uploaded image (i.e. Alice uploads food pic to Weibo, Alice's details can be pulled up).
There's also specialized hardware for tracking down WiFi devices (i.e. alert when device with WiFi's MAC address is in range) and disrupt WiFi signals and can be controlled with a dedicated smartphone.
It also supports specialized APT attack scenarios, including generating email templates, browser-based attacks, exploited Office document generator and more.
Features designed specifically for forums:
- Emote beacon: Effectively IP grabber when opened: the user's IP address, portt, time, browser details are returned.
- Link beacon: Same thing as above but URL-based.
Platform designed specifically for cracking down gambling cases, can be used to look up username, email, password, home address, IP address, etc. Notably, an email address of admin
@webside
.com can be seen. Not sure if this is a typo of "website"
"Skywalker" data research platform. Used to look up information related to the keyword, such as phone address, email, username, which would then bring up their IRL details.
Email text search platform. The emails can be automatically imported via SMTP, POP3, iMAP, and most importantly, Exchange. Exchange server can be configure to add "non-plaintext" transfer during transport.
This information can then be fed into an "in-development" feature of looking up user details on various social media, including QQ, WeChat, Weibo, Facebook, and Twitter.
"All-in-one combat platform" product whitepaper - dated 2022.
Appears to be a large internal network for assigning and performing red teaming tasks.
The management can assign tasks to workers from across the states and can assign the sufficient resource for these attackers.
With lots of digging, I eventually got to the Microsoft Docs page of troubleshooting WMI high CPU usage (). The page describes how to find the culprit - and helpfully, the doc mentioned a FOSS tool called WMIMon, instead of having to view tracing manually.
Thankfully, everything about duckyPad is open-source, from the hardware, to the firmware, to the relevant software. I quickly pinned down the issue - the Python implementation appears to refreshes the window and queries for Win32_Process in WMI every .25s for process name.
hey so uh i know people are a little confused when I said it's from the government - it's not *directly* from the CCP - I immediately corrected myself shortly after in the reply; unfortunately it's getting buried in the comments.
"Email intelligence analysis system" whitepaper - dated 2022
This system is designed for sorting through and viewing data from various email sources, such as Gmail, Outlook, etc.
Check all of the imported emails with keywords, and use emails to create additional relation points.
Every single known Lockbit ransomware group website is either offline or displaying a seized by EUROPOL page.
It appears law enforcement has seized and/or taken down, at minimum, 22 Tor sites, in what is labeled 'Operation Cronos'.
Through WMIMon, I discovered that the culprit was
#duckyPad
AutoSwitcher, a helper application that switches the profiles on my duckyPad macro keypad depending on the foreground process name. Once I've closed the application, the WMI usage was back to normal.
Some basic
#IDA101
here: IDA does not support decompiling exception handlers; in other words, code that are within a catch block will not show up in the pseudocode view. A reminder that you should not blindly trust the pseudocode view.
This is a very common anti-analysis method,…
There's also a RAT called Hector.
"Hector is an active RAT that supports HTTP/WebSocket and HTTPS/WS over TLS."
"Hector supports interactive remote shell, file directory viewing, file management."
"Microsoft email secrets platform" - dated 2022
Basically designed to exfiltrate data or attack Outlook/Exchange. The attacker can use it to create phishing emails.
The Chinese APT contractor leak contained a few interesting files; namely:
- CDRs (Call Detail Records)
- LBS (Location Based Services) db records
Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.
Some background: (1/5)🧵
To clarify, the document leaked from a offsec contractor that works with the Chinese national police. Based on the README, it was likely a disgruntled employee upset with the pay/management. *Probably*.
They claim that they processed 100 million+ tweets every day and uses many crawlers to crawl Twitter every 5 to 10 minutes. Through compromising the account, it can be used to "curb illegal public opinions."
This vtuber was once a history professor, and recently did a history lecture on stream.
It's really cool to all types of knowledge being shared through the vtuber community.
Imagine if more educators were vtubers.
Perhaps this is the future of educational content.