安坂星海 Azaka || VTuber Profile picture
Feb 18 47 tweets 17 min read Read on X
#threatintel
someone just leaked a bunch of internal Chinese government documents on GitHub
github.com/I-S00N/I-S00N/
From the looks of it, it looks like a bunch of spyware developed by the company 安洵信息
Some of these software features includes obtaining the user's Twitter email and phone number, realtime monitoring, publishing tweets on their behalf, reading DMs. Image
Custom RAT built for Windows x64/x86 with features such as process/service/registry management, remote shell, keylogging, file access logging, obtaining system info, disconnect, uninstallation.
Image
Image
The documentation contains a screenshot of the controller, titled Security System (V3.0.0.3) Image
A Mac version also exists, with features such as remote shell, file management, screenshot and keylogging.

Image
Image
Image
An iOS version also... exists somehow, and they claim that this supports all iOS versions. Includes features such as gathering hardware information, GPS data, contacts, media files, and real-time audio record.
No jailbreak required.

Image
Image
Image
Android version also exists, supporting Android 6.0 and above. Features include obtaining system information, GPS, contacts, SMS, call logs, browser history, app list, real-time audio recording, process list, camera, WiFi list, screenshot, keylogging, and system info. Image
Few interesting tidbits for the Android one
- Ability to dump messages from QQ, WeChat, and MoMo - all popular Chinese IM apps (requires root)
- Ability to keylog specifically QQ, WeChat, Momo *AND* Telegram.
- Ability to elevate as system app for persistence (requires root)

Image
Image
Image
Controller for the Android RAT Image
Linux version also exists that specifically supports CentOS 5/6/7 & Ubuntu 12/14. Oddly old versions of these distros. Features include remote shell, file management, Socks5 proxy via SocksCap64, port reuse. Controller appears to be named "TracedStone"
Image
Image
This is the weirdest of them all - a WiFi-capable device that can inject into the targeted... Android devices via WiFi? The device is said to be portable, plug and play, supports 3G and 4G. After a successful injection, it can get device info, GPS, SMS, contacts, call log, files
Image
Image
Another one: "WiFi Near Field Attack System," with a Standard and Mini edition. The standard version can be installed on a specifically crafted device and be used to infiltrate the internet network... somehow. It doesn't explain. Image
The Mini version is said to be able to disguise as a power strip, power adapter etc. and can be set up to connect to target WiFi and establish a SOCKS tunnel with the internal network. Image
The standard version comes with 4G ability, 8GB eMMC, dual core 1.2GHz ARM processor, 10000 mAh battery, whilst the mini version runs on MIPS with 128MB of DDR2(?) and does not contain a battery. Image
The standard version is disguised as a Xiaomi battery, whilst the mini version is just a plain PCB that can be inside anything. Image
The Standard edition can be used to crack WiFi passwords, LAN port sniffing, SOCKS tunnel, port projection, remote shell, file management, and remote detonation (self-destruct). Image
Correction: technically not Chinese government data, but a spyware vendor contractor's internal data.
Next chapter, they also have a DDoS system. The botnet client is 29kb sized and can be deployed on to Windows, Linux, or generic IoT devices with the total throughput of 10~100Gbps (or GBps? not specified).
Image
Image
Automatic pentesting system that supports Windows, Linux, web services, and networking equipment with support for various pentesting frameworks.
Image
Image
It also supports specialized APT attack scenarios, including generating email templates, browser-based attacks, exploited Office document generator and more. Image
There's also specialized hardware for tracking down WiFi devices (i.e. alert when device with WiFi's MAC address is in range) and disrupt WiFi signals and can be controlled with a dedicated smartphone.

Image
Image
Image
A dedicated Tor-like device for hopping between endpoints. Designed specifically for agents working overseas.

Image
Image
Image
Product stack designed for spying on users using Chinese social media, including Weibo user details lookup (email/phone), historic IP address lookup, user detail lookup via the uploaded image (i.e. Alice uploads food pic to Weibo, Alice's details can be pulled up). Image
Baidu lookup, reverse searching username, phone number, email address, Baidu Pan links. Image
Reverse searching phone number for WeChat, WeChat payment QR code, etc. Image
Features designed specifically for forums:
- Emote beacon: Effectively IP grabber when opened: the user's IP address, portt, time, browser details are returned.
- Link beacon: Same thing as above but URL-based. Image
Platform designed specifically for cracking down gambling cases, can be used to look up username, email, password, home address, IP address, etc. Notably, an email address of admin@webside.com can be seen. Not sure if this is a typo of "website"
Image
Image
They've also developed their own KoTH style CTF platform for training offsec employees.
Image
Image
"Skywalker" data research platform. Used to look up information related to the keyword, such as phone address, email, username, which would then bring up their IRL details. Image
This information can then be fed into an "in-development" feature of looking up user details on various social media, including QQ, WeChat, Weibo, Facebook, and Twitter. Image
Email text search platform. The emails can be automatically imported via SMTP, POP3, iMAP, and most importantly, Exchange. Exchange server can be configure to add "non-plaintext" transfer during transport. Image
That was *most* of the data in just ONE PDF file that is leaked from this repository. There's presumably a lot more to dig through.
The rest of the repo seems to be mostly low-res screenshots (presumably thumbnails?) of various WeChat logs, and random camera shots of random notes.
I'll be posting the rest of the updates back in the Mastodon thread.
infosec.exchange
infosec.exchange/@still/1119545…
This blew up so instead of plugging something I'm gonna tell you to go read the chat log analysis I'm doing over at .
infosec.exchange
infosec.exchange/@still/1119545…
There's also a RAT called Hector.
"Hector is an active RAT that supports HTTP/WebSocket and HTTPS/WS over TLS."
"Hector supports interactive remote shell, file directory viewing, file management."

Image
Image
Image
Image
Modular design and supports additional plugin deployment Image
The chatlogs are extremely fascinating as they provide a much broader view of how people are making money off of attacking critical government agencies. I'm seeing quotes and prices all in these chatlogs over intel/data from these hacked institutions.
Image
Image
The point I want to make is it's not *just* government hired actor, but companies are profiting off of these contracted attacks.
someone from the chatlog also claimed that they have data from Jens Stoltenberg (Secretary General of NATO) they've been wanting to sell Image
bro only got paid 2000 RMB for his month of work💀 Image
uhhh I'm gonna be muting this thread because it's nuking my notification
Image
Correction for the previous post - it's Macau Airlines Image

if you still aren't convinced the clients are gov infosec.exchange/@still/1119564…
Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with 安坂星海 Azaka || VTuber

安坂星海 Azaka || VTuber Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @AzakaSekai_

Jun 26
Apparently China now has their own GitHub/public Git repository hosting service called GitCode; it is owned and operated by CSDN under the company name "重庆开源共创科技有限公司" Image
Image
It is being reported that many users' repository are being cloned and re-hosted on GitCode without authorization - meaning your project may very well be on this service without you explicitly allowing. Image
This is not my account - I did not create this repository on this website. GitCode is actively siphoning GitHub repository to their own service.
Read 5 tweets
Apr 20
Earlier this month when I was troubleshooting performance issues on my computer, I found that the #WMI host process WmiPrvSE.exe was consistently using about 5% of my CPU. This led me to investigate what was causing it and going down a rabbit hole and issuing a fix.
🧵(1/)
With lots of digging, I eventually got to the Microsoft Docs page of troubleshooting WMI high CPU usage (). The page describes how to find the culprit - and helpfully, the doc mentioned a FOSS tool called WMIMon, instead of having to view tracing manually. learn.microsoft.com/en-us/troubles…
Image
WMIMon () attaches to the ETW for WMI and displays all the relevant queries and most importantly, who is the main process that queried these calls. github.com/luctalpe/WMIMon
Image
Read 8 tweets
Mar 23
Windows reinstallation time
get out Image
why is 2.0 still installed by default Image
Read 6 tweets
Feb 19
holy fuck there's a list of victims too Image
TBs of data stolen from Pakistan, Kazakhstan, Kyrgyzstan, Malaysia, Mongolia, Nepal, Türkiye, India, Egypt, France, Cambodia, Rwanda, Nigeria, Hongkong, Indonesia, Vietnam, Myanmar, Philippines, Afghanistan
what do you mean they stole 3D models of the entire Taiwan and what do you mean it's 459GB Image
Read 5 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(