Full Report
Key Takeaways The DFIR Report Services Reports such as this one are part of our All Intel service and are categorized as Threat Actor Insights. Private Threat Briefs: Over 20 … Read More
Analysis Summary
# Threat Actor: You Dun
## Attribution & Identity
Identified as a Chinese speaking hacking group that self-identifies as "You Dun." The analysis was based on an open directory containing their toolkit and activity history.
## Activity Summary
The threat actor engaged in reconnaissance and web exploitation activities. They successfully exploited several websites running Zhiyuan OA software using SQL injection. Following initial access, they attempted privilege escalation on compromised hosts using specialized tools for Linux, Docker, and Kubernetes environments. C2 communication was tracked actively between January 18th and February 10th, 2024. They also utilized a leaked LockBit 3 builder to create a payload with a custom ransom note referencing a Telegram group.
## Tactics, Techniques & Procedures
- **Reconnaissance:** Extensive scanning using specialized tools.
- **Exploitation:** Exploitation of public-facing applications (Zhiyuan OA software) via SQL injection ($\text{T1190}$, $\text{T1071.001}$).
- **Privilege Escalation:** Use of `traitor` for Linux privilege escalation, and `CDK` for Docker and Kubernetes privilege escalation ($\text{T1068}$).
- **Command and Control (C2):** Use of Viper C2 framework and Cobalt Strike, enhanced with custom extensions ($\text{T1071}$).
- **Lateral Movement/Persistence:** Evidence of C2 frameworks being deployed.
- **Impact:** Referenced use of LockBit 3 builder indicating potential for data encryption ($\text{T1486}$).
- **Scanning:** Vulnerability scanning ($\text{T1595.002}$) and wordlist scanning ($\text{T1595.003}$).
- **Ingress Tool Transfer:** Implied by the presence of multiple toolsets ($\text{T1105}$).
- **MITRE ATT&CK IDs Mentioned:** $\text{T1071}$ (Application Layer Protocol), $\text{T1486}$ (Data Encrypted for Impact), $\text{T1068}$ (Exploitation for Privilege Escalation), $\text{T1190}$ (Exploit Public-Facing Application), $\text{T1105}$ (Ingress Tool Transfer), $\text{T1595.002}$ (Vulnerability Scanning), $\text{T1071.001}$ (Web Protocols), $\text{T1595.003}$ (Wordlist Scanning).
## Targeting
- **Sectors:** Organizations running Zhiyuan OA software were specifically targeted, along with general web exploitation targets.
- **Geography:** South Korea, China, Thailand, Taiwan, and Iran.
- **Victims:** Unspecified organizations running Zhiyuan OA software.
## Tools & Infrastructure
- **Scanning/Exploitation Tools:** WebLogicScan, Vulmap, Xray, SQLmap.
- **Privilege Escalation Tools:** `traitor` (Linux), `CDK` (Docker/Kubernetes).
- **C2 Frameworks:** Viper C2 framework, Cobalt Strike kit (including TaoWu and Ladon extensions).
- **Malware Families Used:** Leaked LockBit 3 builder payload.
- **Infrastructure:** Active C2 server tracked from Jan 18th to Feb 10th, 2024. Specific C2 artifacts identified include:
- Cobalt Strike artifacts (e.g., $\text{temp.exe}$, $\text{user.exe}$)
- TaoWu extension files (e.g., $\text{PrintSpoofer.dll/exe}$, $\text{frpc.exe}$, $\text{fscan.exe}$, $\text{nc.exe}$)
- Ladon extension files (e.g., $\text{Ladon-cn.cna}$, $\text{Ladon.ps1}$, $\text{Ladon911.exe}$)
## Implications
You Dun is an active, commercially sophisticated threat actor leveraging widely known web exploitation tools alongside specialized C2 capabilities (Cobalt Strike with custom extensions like TaoWu/Ladon) to gain initial access. Their tactics evolve to include container/virtualization privilege escalation techniques ($\text{CDK}$) and the potential for deploying commodity ransomware (LockBit 3). Their targeting suggests a focus on East Asian entities coupled with operations reaching into Iran.
## Mitigations
- Immediately patch and secure all public-facing web applications, especially those running Zhiyuan OA software.
- Implement stringent controls and WAF policies to detect and block SQL injection attempts.
- Monitor for exploitation attempts targeting known vulnerabilities leveraged by scanning tools like WebLogicScan and Vulmap.
- Enhance host-based detection to identify the execution of the privilege escalation tools observed (e.g., `traitor`, `CDK`).
- Monitor for network traffic associated with C2 frameworks like Viper and Cobalt Strike, particularly if unusual beacons or encrypted traffic patterns are observed.