tl;dr
We have discovered a previously unknown China-nexus APT group, which we have named “IcePeony”. Due to operational mistakes, they exposed their resources, allowing us to uncover details of their attacks.
IcePeony is a China-nexus APT group that has been active since at least 2023. They have targeted government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam.
Their attacks typically start with SQL Injection, followed by compromise via webshells and backdoors. Interestingly, they use a custom IIS malware called “IceCache”.
Through extensive analysis, we strongly believe that IcePeony is a China-nexus APT group, operating under harsh work conditions.
IcePeony
IcePeony is an unknown attack group. Our research shows that they have been active since at least 2023. They mainly target Asian countries, such as India and Vietnam. In the log files we analyzed, there were over 200 attempts to attack various government websites in India.
They use SQL injection attacks on public web servers. If they find a vulnerability, they install a webshell or malware. Ultimately, their goal is to steal credentials.
We believe IcePeony works for China’s national interests. It is possible that they prioritize China’s maritime strategy.
Our research found that IcePeony targeted government and academic institutions in India, political parties in Vietnam, and government institutions in Mauritius. Recently, they may have also attacked Brazil. It is likely that they will expand their targets in the future.
OPSEC fail
In July, we identified a host that was publicly exposing various attack tools, including CobaltStrike and sqlmap, via an open directory. What made this discovery even more compelling was the presence of a zsh_history file.
One of the most interesting findings was the zsh_history file. Similar to bash_history, the zsh_history file records command history. However, zsh_history also logs timestamps, allowing us to pinpoint the exact time each command was executed.
The zsh_history also includes timestamps, which means we know exactly when each command was executed. This enabled us to construct a highly detailed timeline of the attack.
Unlike a typical timeline created by an IR or SOC analyst, this one offers insight from the attacker’s perspective. We could observe their trial-and-error process and how they executed the intrusion.
The zsh_history was not the only interesting file. There were many others.
For example, IcePeony had configured several helper commands in their alias file, including shortcuts to simplify lengthy commands and commands to quickly access help information.
Here is an example with Mimikatz. By typing “hPass,” the attacker could display basic tutorials for Mimikatz. This improved their effectiveness during attacks.
Intrusion Timeline
We obtained two weeks’ worth of command history from the zsh_history. Let’s go through the events of each day.
On day-1, the attacker attempted SQL injections on several government websites. When the exploit succeeded, they installed a webshell or IceCache, establishing a foothold for the attack. On day-2, they reviewed the domain information of compromised hosts and created accounts for further exploitation. On day three, which was a Sunday, no actions were taken. On day-3, which was a Sunday, they did not perform any actions. It seems the attacker does not work on Sundays. On day-4, they used IceCache to configure proxy rules. We will explain this in more detail later. On day-5, the attacker expanded their reach by attempting more SQL injections on other government websites. On day-6, they used various tools, including IcePeony’s custom tool called StaX and a rootkit called Diamorphine. On day-7, they continued to attack other hosts using tools like URLFinder and sqlmap.
On day-8, they used IceCache to steal information from the compromised environment, especially focusing on domain users. On day-9, they were quiet and only performed connection checks. On day-10, they did nothing since it was a Sunday. On day-11, they used tools like craXcel and WmiExec. They used craXcel, an open-source tool, to unlock password-protected Microsoft Office files. On day-12, they used IceCache to add proxy rules and set persistence with scheduled tasks. On day-13 and day-14, they explored other hosts for further exploitation.
Over the course of two weeks, the attacker utilized a variety of tools and commands to compromise government websites and exfiltrate information.
Tools
IcePeony uses a wide range of tools, with a particular preference for open-source ones. Here, we will highlight only the most distinctive tools they use.
StaX
StaX is a customized variant of the open-source tool Stowaway, a high-performance proxy tool. The attacker enhanced Stowaway with custom processing. Based on development strings, we called this version StaX.
StaX included encryption for communication targets specified in active mode using Custom Base64 and AES.
ProxyChains
ProxyChains is an open-source proxy tool. The attacker used ProxyChains to run script files on victim hosts.
info.sh is a script that collects system information from the compromised environment. It gathers environment information, user information, installed tool versions, network settings, SSH configuration files, and command history.
linux_back.sh is a script for backdoors and persistence. It downloads and runs a backdoor shell script from the server and creates backdoor users.
Interestingly, they installed a rootkit called Diamorphine, which is available on GitHub.
Malware
The IcePeony server contained malware targeting IIS, which we named IceChache. They used IceCache to attack the attack surface server. Additionally, during the investigation, we discovered another related malware, which we called IceEvent. Although no logs of using IceEvent were found. We believe it was used to compromise another computer that was not connected to the internet.
IceCache
IceCache is an ELF64 binary developed in Go language. It is customized based on the open-source software reGeorge.
To facilitate their intrusion operations, they added file transmission commands and command execution functionality.
IceCache module is installed and run on IIS servers. The number of commands change, but they are classified into two types based on authentication tokens. We found files with remaining PDB information. These files were developed by a user named “power” in a project called “cachsess”
PDB Path
C:Userspowerdocumentsvisual studio 2017Projectscachsessx64Releasecachsess.pdb
C:UserspowerDocumentsVisual Studio 2017ProjectscachsessReleasecachsess32.pdb
The number of commands changes over time, but it includes command execution functions, SOCKS proxy functions, and file transmission functions.
TYPE-A
Description
EXEC / EXEC_PRO
Command to the execution of a process
SOCKS_HELLO
Command to SOCKS protocol initial handshake message
SOCKS_CONNECT
Command to indicate a connection request with the SOCKS protocol
SOCKS_DISCONNECT
Command to indicate disconnection with SOCKS protocol
SOCKS_READ
Command to reading of data in SOCKS protocol
SOCKS_FORWARD
Command to instruct data transfer via SOCKS protocol
PROXY_ADD
Command to add a proxy
PROXY_LIST
Command to list a proxy
PROXY_DEL
Command to del a proxy
PROXY_CLEAR
Command to clear all proxy settings
PROXY_SET_JS
Set the JavaScript
PROXY_GET_JS
Get set the JavaScript
PROXY_ALLOW_PC
Allowed PC settings
PROXY_CACHE_CLEAR
Command to clear the proxy cache
PROXY_CACHE_TIME
Command to set proxy cache time
FILE_UPLOAD
Upload Files
FILE_DOWNLOAD
Download Files
TYPE-B
Description
EXEC / EXEC_PRO
Command that directs the execution of a process
SOCKS_HELLO
SOCKS protocol initial handshake message
SOCKS_CONNECT
Command to indicate a connection request with the SOCKS protocol
SOCKS_DISCONNECT
Command to indicate disconnection with SOCKS protocol
SOCKS_READ
Command that directs reading of data in SOCKS protocol
SOCKS_FORWARD
Command to instruct data transfer via SOCKS protocol
PROXY_ADD
Command to add a proxy
PROXY_LIST
Command to list a proxy
PROXY_DEL
Command to del a proxy
PROXY_CLEAR
Command to clear all proxy settings
FILE_UPLOAD / FILE_UPLOAD_PRO
Upload Files
FILE_DOWNLOAD / FILE_DOWNLOAD_PRO
Download Files
IIS_VERSION
Show IIS version
These are the IceCache modules found so far. The first sample we are aware of was compiled in August 2023 and submitted to VirusTotal in October. Since there is no discrepancy between the compille time and the first submission, we believe the dates are reliable.
Many new samples have also been found since 2024. Most of the submitters are from India, which matches the victim information we have gathered from OpenDir data.
The number of commands has change over time. It is show that the malware’s developers have made improvements while continuing their intrusion operations.
sha256[:8]
Compile Time
First Submission
Submitter
Cmd Num
X-Token
TYPE
5b16d153
2024-07-17 09:11:14
2024-08-03 04:58:20
c8d0b2b9 (ID)
20
tn7rM2851XVvOFbc
B
484e2740
2024-06-21 03:05:15
2024-08-07 09:25:53
39d4d6d2 – email
20
tn7rM2851XVvOFbc
B
11e90e24
2024-06-05 03:52:48
2024-06-18 12:21:50
d9cb313c (ID)
20
tn7rM2851XVvOFbc
B
b8d030ed
2024-06-05 03:52:41
2024-06-18 10:47:18
408f1927 (ID)
20
tn7rM2851XVvOFbc
B
ceb47274
2024-04-25 09:53:26
2024-08-02 21:50:50
06ac9f47 (BR)
20
tn7rM2851XVvOFbc
B
d1955169
2024-04-21 11:29:25
2024-06-18 12:24:39
d9cb313c (ID)
18
tn7rM2851XVvOFbc
B
de8f58f0
2024-04-21 11:29:10
2024-06-18 10:49:53
408f1927 (ID)
18
tn7rM2851XVvOFbc
B
53558af
2024-03-27 05:08:50
2024-04-19 07:57:19
c2440bbf (ID)
18
tn7rM2851XVvOFbc
B
0b8b10a2
2024-03-27 05:08:57
2024-04-18 13:54:16
c2440bbf (ID)
18
tn7rM2851XVvOFbc
B
a66627cc
2024-02-20 09:36:12
2024-03-12 15:17:55
a6412166 (VN)
16
cbFOvVX1582Mr7nt
A
e5f520d9
2024-02-01 09:32:21
2024-07-17 09:30:54
24761b38 (SG)
24
cbFOvVX1582Mr7nt
A
3eb56218
2023-12-07 03:04:16
2024-02-20 13:54:02
0f09a1ae (ID)
24
cbFOvVX1582Mr7nt
A
5fd5e99f
2023-09-27 00:50:46
2024-03-24 08:59:02
Ca43fb0f (ID)
24
cbFOvVX1582Mr7nt
A
0eb60e4c
2023-08-23 09:11:24
2023-10-18 10:11:00
0e8f2a34 (VN)
18
cbFOvVX1582Mr7nt
A
IceEvent
IceEvent is a simple passive-mode backdoor that installed as a service.
PDB Path
C:UserspowerDocumentsVisual Studio 2017ProjectsWinServicex64ReleaseWinService.pdb
Two types have been identified based on the command format. Both types only have the minimum necessary commands. The older type was discovered in September 2023, and several new types were found in April of this year. All of these were submitted from India.
TYPE-A
Description
FILE:
Command to Reading files via sockets
CMD:
Command to the execution of a process
TYPE-B
Description
UPFILE
Upload Files
DOWNFILE
Download Files
CMD
Command to the execution of a process
sha256[:8]
Compile Time
First Submission
Submitter
Cmd Num
TYPE
80e83118
2024-04-25 09:50:58
2024-07-25 05:43:08
INDIA (99003aca)
3
B
9aba997b
2024-04-30 04:48:48
2024-06-14 05:46:49
INDIA (060734bd)
3
B
9a0b0439
2024-04-25 09:50:58
2024-06-14 05:00:08
INDIA (060734bd)
3
B
bc94da1a
2023-08-23 08:52:46
2023-09-05 03:03:57
INDIA (81f8b666)
2
A
Similarities
We believe that IceEvent was developed because a simple passive backdoor was needed during intrusions, based on code similarities with IceChache. Both IceChache and IceEvent use the same key for XOR to encode communication data. And PDB information shows that the same developer created both malware.
This is the XOR-based data encoding process used for communication data, which is equal to both malware.
This is the command execution process equal to both malware. Since the function calls and branching processes are exactly the same, we believe they were compiled from the same source code. Other commands also match perfectly.
The communication data of IceChache and IceEvent is only encoded using the XOR process mentioned earlier, making it easy to decode. Here is an example of decoding the data during command execution.
Attribution
We investigated the attacker’s activity times based on the timestamp information in the zsh_history file. As a result, we found that the attacker is likely operating in the UTC+8 time zone. Surprisingly, the attacker works from 8 a.m. to 10 p.m., which is a 14-hour workday. They are remarkably diligent workers.
Similarly, we investigated the changes in activity based on the day of the week. It seems that the attackers work six days a week. While they are less active on Fridays and Saturdays, their only full day off appears to be Sunday. This investigation suggests that the attackers are not conducting these attacks as personal activities, but are instead engaging in them as part of organized, professional operations.
By the way, have you heard of the term “996 working hour system”?
This term originated in China’s IT industry.
In China’s IT industry, long working hours see as a problem. It refers to working from 9 a.m. to 9 p.m.,six days a week. Such hard work conditions are called the “996 working hour system”. IcePeony might be working under the 996 working hour system.
https://en.wikipedia.org/wiki/996_working_hour_system
Next, There is a very simple example to consider when discussing attribution. IcePeony sometimes includes Simplified Chinese comments in the tools they use. Here, we provide an example of a wrapper script for the IceCache Client. From this, we can conclude that IcePeony is a threat actor from a region where Simplified Chinese is commonly used.
IcePeony uses an original malware called IceCache. As previously mentioned, IceCache is based on reGeorge. More specifically, IceCache contains a string referring to a project named reGeorgGo.
Upon investigating reGeorgGo, We found that it was developed by a Chinese security engineer. There is no other information about this project on the internet, aside from the developer’s blog.
It was a not well-known tool. However, the publicly available reGeorgGo is a tool with only three arguments, where as IceCache has more commands added to it.
https://github.com/zz1gg/secdemo/tree/main/proxy/reGeorgGo
Let’s examine attribution from another side. In this attack campaign, IcePeony targeted India, Mauritius, and Vietnam. While attacks on India and Vietnam are generally not uncommon. What about Mauritius?
Mauritius is a small country located in the Indian Ocean. Interestingly, Mauritius has recently formed a cooperation with India. They are wary of China’s expansion into the Indian Ocean and have begun various forms of collaboration to counter this influence.
https://www.mea.gov.in/newsdetail1.htm?12042/
We summarize the attribution information using the Diamond Model.
IcePeony consists of Simplified Chinese speakers who show interest in the governments of Indian Ocean countries and work under the 996 working hour system.
They prefer open-source software developed in Chinese-speaking regions and use their original malware, IceCache and IceEvent. In attacks on the Indian government, they used VPSs located in the Indian region. Additionally, the governments and education sectors in Mauritius and Vietnam were also targeted.
Wrap-Up
In this blog post, we introduced IcePeony. IcePeony is a newly emerging attack group. Our investigation shows that they have been active since at least 2023. Their primary targets are countries in Asia, such as India and Vietnam.
The log files we analyzed recorded attempts to attack over 200 different Indian government websites. IcePeony typically attempts SQL Injection attacks on publicly accessible web servers. If vulnerabilities are found, they install web shells or execute malware. Ultimately, they aim to steal credentials.
We suspect that IcePeony operates as a group of individuals conducting cyberattacks in support of China’s national interests, possibly in connection with China’s maritime strategy. They remain active, and we must continue monitoring their activities closely moving forward.
IoCs
IP
165[.]22.211.62
64[.]227.133.248
173[.]208.156.19
173[.]208.156.144
154[.]213.17.225
103[.]150.186.219
63[.]141.255.16
204[.]12.205.10
107[.]148.37.63
103[.]99.60.119
154[.]213.17.237
45[.]195.205.88
154[.]213.17.244
103[.]99.60.93
149[.]115.231.17
149[.]115.231.39
103[.]99.60.108
Domain
d45qomwkl[.]online
k9ccin[.]com
k8ccyn[.]com
88k8cc[.]com
googlesvn[.]com
IceChache
484e274077ab6f9354bf71164a8edee4dc4672fcfbf05355958785824fe0468f
5b16d1533754c9e625340c4fc2c1f76b11f37eb801166ccfb96d2aa02875a811
ceb47274f4b6293df8904c917f423c2f07f1f31416b79f3b42b6d64e65dcfe1b
e5f520d95cbad6ac38eb6badbe0ad225f133e0e410af4e6df5a36b06813e451b
d1955169cd8195ecedfb85a3234e4e6b191f596e493904ebca5f44e176f3f950
11e90e2458a97957064a3d3f508fa6dadae19f632b45ff9523b7def50ebacb63
de8f58f008ddaa60b5cf1b729ca03f276d2267e0a80b584f2f0723e0fac9f76c
b8d030ed55bfb6bc4fdc9fe34349ef502561519a79166344194052f165d69681
535586af127e85c5561199a9a1a3254d554a6cb97200ee139c5ce23e68a932bd
0b8b10a2ff68cb2aa3451eedac4a8af4bd147ef9ddc6eb84fc5b01a65fca68fd
5fd5e99fc503831b71f4072a335f662d1188d7bc8ca2340706344fb974c7fe46
3eb56218a80582a79f8f4959b8360ada1b5e471d723812423e9d68354b6e008c
a66627cc13f827064b7fcea643ab31b34a7cea444d85acc4e146d9f2b2851cf6
0eb60e4c5dc7b06b719e9dbd880eb5b7514272dc0d11e4760354f8bb44841f77
IceEvent
80e831180237b819e14c36e4af70304bc66744d26726310e3c0dd95f1740ee58
9a0b0439e6fd2403f764acf0527f2365a4b9a98e9643cd5d03ccccf3825a732e
9aba997bbf2f38f68ad8cc3474ef68eedd0b99e8f7ce39045f1d770e2af24fea
bc94da1a066cbb9bdee7a03145609d0f9202b426a52aca19cc8d145b4175603b