A new Advanced Persistent Threat (APT) group, tracked as UTG-Q-008, has been targeting research and educational institutes in China, according to cybersecurity firm QiAnXin. The threat actor employs a sophisticated botnet composed entirely of Linux systems to conceal its operations, with multiple springboard nodes located within China's internet space.
QiAnXin researchers have been tracking UTG-Q-008 for nearly a year, although they have yet to formally attribute the group to any specific nation or organization. It was found that UTG-Q-008 sometimes deploys a cryptominer on systems equipped with powerful NVIDIA RTX graphics cards.
The UTG-Q-008 group has focused exclusively on Linux platforms, utilizing a massive botnet for espionage activities against domestic research and education sectors. QiAnXin says that up to 70% of the botnet's infrastructure consists of springboard servers. These servers are frequently rotated with each new activity, using domain names that have been active for at least a decade. Each large-scale operation employs new domain names and IP addresses for payload requests and shell operations.
Once inside the network, UTG-Q-008 installs an espionage plugin on crucial servers. This plugin runs an embedded bash script containing numerous regular expressions to collect sensitive information from Linux servers. Each section of the script features around ten matching rules designed for data exfiltration.
The group's attacks are strategically timed, typically occurring between midnight and 4 a.m., with each shell session lasting only 2-3 minutes. Initial stages involve distributed SYN scans to identify open ports on target networks, averaging 25-35 scans per second per IP address.
This is followed by distributed brute-forcing attempts, capped at ten attempts per second per IP, enabling the group to maintain a low footprint. Over the course of a month, UTG-Q-008 successfully brute-forced root passwords on nine servers, including six research servers and three perimeter devices such as firewalls, routers, and out-of-band management hosts, the researchers said.
QiAnXin identified three nodes associated with the Perlbot botnet, three with Outlaw, and one linked to the Mirai botnet. The Nanobot used during lateral movement within networks shows similarities to Perlbot.
QiAnXin also found overlaps between UTG-Q-008 and another APT group, UTG-Q-006, which primarily targets Windows devices. UTG-Q-006 uses a large botnet to brute-force Remote Desktop Protocol (RDP) ports, infiltrating critical entities within half a month using sophisticated techniques involving legitimate tools like AnyDesk, Chisel, and Advanced Port Scanner. The adversary targets Manufacturing Execution System (MES) servers.
The researchers have also discovered overlapping brute-forcing nodes between UTG-Q-006, UTG-Q-008, and Outlaw botnets. However, the links between these groups remain unclear due to complex nature of botnets.