Threat analysis

I Ate Your Family’s Rice : Unmasking Space Pirates’ Hacker

OWN-CERT
-
27/11/2023
 OWN-CERT teams have investigated one of the malware developers of the Chinese cybercriminal group Space Pirates. OWN Security

The OWN-CERT APT team has carried out an investigation into one of the malware developers of the Chinese cybercriminal group Space Pirates. The OWN-CERT team was able to uncover links between the developer's account and a student at Harbin University of Science and Technology (HRBUST). We also mapped interesting relationships between this developer and other students at the same university.

We recommend reading this paper while listening to the song “白桦林 » (Baihualin) by 朴树 (Pu Shu).

Key Takeways

  • The starting point of this investigation is the link detected by Positive Technology between the hackers’s device name collected during the GitHub repositories analysis and the CSDN account “ma_de_hao_mei_le”.
  • “ma_de_hao_mei_le” aka “wochinijiamile” was a student at the Harbin University for Science and Technology (HRBUST) and is called HE Qile.
  • HE Qile is in contact (at least virtually) with younger CTF contestants from HRBUST.
  • Some Space Pirates members could be linked to HRBUST.
  • Harbin University could be a hotbed for would-be hackers.

Introduction

Context

We decided to start this investigation while reading an article published by Positive Technologies on the cybercriminal group Space Pirates entitled “Space pirates: a look into the group’s unconventional techniques, new attack vector and tools”[1]. The article explains the group’s compromise chain and links the malware to a Chinese developer thanks to a device name within the code. Positive Technology identified a blog account probably belonging to one of Space Pirates’ developers without looking into the account information. So, we dug.

Who is Space Pirates?

But, first, we shall introduce Space Pirates.
Space Pirates is a cybercrime group discovered by Positive Technologies (PT) at the end of 2019. According to Positive Technologies, the group had been active since at least 2017. At the time of discovery, the group was conducting espionage and information theft attacks against Russian government agencies and companies with both new malware families and part of Chinese hackers’ toolkit: Royal Road RTF (8.t) builder, PcShare backdoor, PlugX and PoisonIvy among others [2].

PT experts found several overlaps with other Chinese groups: Winnti (APT41), Bronze Union (APT27), TA428, RedFoxtrot, Mustang Panda and Night Dragon.

PT considers the group has expanded its interests and the geographical scope of its activities. The group is now looking for confidential information in a wide range of sectors such as government and education institutions, aerospace manufacturers, agricultural producers, defense, energy, private security and infosec companies. The countries targeted until now are Russia, Georgia, Serbia, and Mongolia.

Figure 1: Connections between Space Pirates and other Chinese groups. Source: Positive Technologies.

A myriad of accounts

The Positive Technologies article pointed at three accounts:

  • The CSDN account "ma_de_hao_mei_le"[3], created in 2021
  • The Github account "wqreytuk" [4];
  • The deleted blog account on CSDN "wochinijiamile", created in 2017 [5].


Figure 2: Screenshot of CSDN account ma_de_hao_mei_le as presented in the article, source: Positive Technology

All three accounts provide much information about the developer.The GitHub account for example displays information about:

  • An X (Twitter) account: [at]include233333
  • An URL: hxxps://144.34.164[.]217/

Also, the X account points to a domain: 144[.]one.

The CSDN blog account "ma_de_hao_mei_le" is divided into three sections: a "Miscellaneous" section, a "Security" section and a "R&D" section. The blogposts tackle a variety of computer related topics, from SecureCRT, C++ coding, the use of IDA, NTLM authentication, Mac and Windows virtualization tools (Parallels, VMWare etc.).

Figure 3: Space Pirates developer's GitHub account.source: Positive Technology

The GitHub account “wqreytuk” gives a hint of the owner’s activities and interests. For example, the owner forked a repository about process hollowing and wrote several repositories about:

  • Erasing events logs on Windows (published in September 2023)
  • File mapping (published in September 2023)
  • Tools in Python for lateral movements and for Kerberos authentication

Figure 4: Space Pirates developer's deleted account source: Positive Technology

“Wochinijiamile” account details reveal another username: “include_heqile”.

It is worth noting that "whochinijiamile” is a slight deformation of an online slang expression “吃你家大米了吗” which literally translates "Did I ate you family’s rice” and means "I did nothing to you why are you bothering me ?”. "Wo chi ni jia mi le” therefore means “" did something to you” and makes the username sounds like a confession … or a warning.

So, we find ourselves with several accounts to investigate. Which we did to map as accurately as possible wochinijiamile’s online presence. In short, we found :

  • a Kanxue page belonging to « 12138 » – Kanxue being a website specialized in cybersecurity – a username also used on GitHub [6] ;
  • a Bilibili account using the username " 肥腰是猪 "[7]. Bilibili is a video platform very similar to Youtube, on which users can post their own videos. Most of the content posted by 肥腰是猪 are technical demos related to ma_de_hao_mei_le Github and CSDN posts. The video mentioned in the GitHub post on SecureCRT is about SecureCRT [8];
  • a Gitee account (the Chinese GitHub) [9] ;
  • an account combining the X (include_) and GitHub usernames “include_12138” on the blog website 51CTO [10].

Not only, the account uses the same picture as the CSDN account and points to the Weixin account wochinijiamile («我吃你家米了 »), it also advertises the blog 144[.]one [11]. We were therefore quite certain this account belongs to the same person.

Figure 5: The 51CTO account, include_12138, pointing to the Weixin account "我吃你家米了".

Getting more serious : What about the domain?

Until now, we left aside two very interesting pieces of information which are the URL mentioned on the 12138 GitHub page (hxxps://144.34.164[.]217) and the domain mentioned in the details of the X account (144[.]one).

The URL points to a blog page belonging to 12138.

Figure 6: URL page hxxps://144.34.164[.]217.

From this page we get two new pieces of information:

  • a QQ e-mail address: 476522884[at]qq.com(NDc2NTIyODg0QHFxLmNvbQ==) ;
  • a Weixin account: 我吃你家米了 (which reads "wo chi ni jia mi le").

The Weixin username is particularly interesting as it is reused on several social medias sometime written in Chinese ideograms, sometime in pinyin using the Latin alphabet as in the second (deleted) CSDN blog username “wochinijiamile”.

Clicking on the “友情链接” link (friendly links), leads directly on a page of the domain 144[.]one which is hosted on the same IP address 144.34.164[.]217 [12].

Among these “friendly links” two are familiar: wochinijiamile and ma_de_hao_mei_le, the three others - A-gui (阿怪), Zhuge(注哥) and the Baihualin Cybersecurity Research Laboratory (白桦林网络空间安全实验室) – deserve further investigations.


Figure 7: The "friendly links" on 12138's blog.


Tightening the noose

We went on searching for more information using usernames and started investigating “include_heqile”, a username we collected at the beginning in the details of the CSDN account wochinijiamile.We found that the developer very likely registered to several cyber challenges under the username “include_heqile”.

Figure 8: Include_heqiles user information on wechall[.]net.

He/She registered to the cyber challenge “Wechall” in 2018, which shows that the person was testing his/her skills [13].

The same year, he/she took part in a CTF as it appears on the website ctftime[.]org [14].

Figure 9: Information about include_heqileon the training platform.

As figure 9 shows, we learned that include_heqile is a student from Harbin University of Science and Technology or 哈理工 and that the three characters matching “heqile” are “何其乐 » or HE Qile which seems a little too easy.

An account on an online training platform was registered by HE Qile in 2017 and was used until 2018. For now, we know that include_heqile aka Wochinijiamile studied at Harbin University and was probably specializing in cyber as from 2017 on, he/she started to take part in online trainings to challenge his/her skills.
Based on the Chinese ideograms, we can assume that HE Qile could be a woman developer.

HE Qile was probably in the class “Network 16-2” (网络16-2) as it is indicated in another account details « 16-2网络-何其乐 » - on an online platform to rate or practice your skills. We found that at HRBUST the classes are named according to the template “SpecialityNumber(year?)-Number”.                                                                                                

The QQ account is the same as the one mentioned in the 12138’s blog, so we feel that the loop is closed.

Figure 10: Account screenshot.

                                                             

Also, we found a mention of HE Qile entering Harbin HRBUST University in 2016 [15], in a publication on Weixin posted by a local government department in Shangcai (Hena) [16]. We considered that a person named “HE Qile” entering the HRBUST University is discriminating enough to regard this information as relevant. Also, 2016 could match the general timeline with HE Qile starting to take part in CTFs a year later.

Figure 11: Screenshot of the "Shangcai Fabu" publication.


Figure 12 : HE Qile blogpost suggesting he/she was still attending HRBUST in May 2018.

We now know that ma_de_hao_mei_le is HE Qile, that he/she entered the Harbin University of Science and Technology in 2016 and that as of May 2018, HE (aka ma_de_hao_mei_le aka include_heqile aka wochinijiamile) was still studying at HRBUST. As we completed the investigation, we could not get the usual feeling of completion because of a few identities we ran into. So, we did some additional research, and the results were rather thrilling.

Friendly interlink: Birkenwald Team

A key element of the investigation was the mention on the blog of the Baihualin Research Laboratory “白桦林网络空间安全实验室” which link redirects towards the URL: “hxxps://birkenwald[.]cn. This website is a blog with few contents to exploit. However, we noticed a section “friends” which presents three avatars with links redirecting to external resources:

  • “Tr0jan” with a link redirecting to the URL: hxxps:tr0jan[.]top
  • “12138” with a link redirecting to the URL “hxxps://144[.]one”
  • “孤客 (Gu ke)” with a link redirecting to “hxxps://blog.csdn[.]net/weixin_43781139?spm=1011.2124.3001.5343”

The Chinese characters “战队” (zhandui) attached to the name “Birkenwald” indicate this group is highly likely a CTF team. This hypothesis was quickly confirmed when conducting research on the name. We could find an article of the media sohu[.]com published on the 19th of October 2021 entitled: “The winning team of Heilongjiang University students’ network security challenge is a ‘hunter’ looking for treasures in the maze of network”. This article mentions the name “Birkenwald” as a team affiliated to the University of Harbin, the capital of Heilongjiang. Furthermore, the article also mentions the name of the student 尹鹭星 (YIN Luxing) as leader of the team. According to another article published in 2021, the team was founded in 2015 [16].

Our readings lead us to believe that YIN Luxing is the leader because he has been a stable member of the team. WANG Jiyuan (王纪元) is another recurrent team member however others occasionally join the team:

  • 胡振煌 (HU Zhenhuang) in 2022 [18]
  • 罗昕蕊 (LUO Xinrui) in 2022[19].
  • 山成伟 (SHAN Chengwei) in 2022 [20].
  • 莫德铭 (Mo Deming) in 2022 [21]

According to the posts on the “Harbin Campus” (哈尔滨校园) Weibo account and to several articles we encountered, the teacher guiding the students through the CTFs challenges is DI Jiqiang (翟继强) who is responsible for Computer Technology courses at HRBUST [22].


Figure 13: Members of the Birkenwald team, with YIN Luxing in the center.

Finally, but we couldn’t confirm it, it is possible this team took part in, at least, 22 CTF between 2020 and 2023.

The Whois record of the domain “birkenwald[.]cn” gives us the following name as registrant 尹鹭星 (YIN Luxing) a rather logical result considering he is the team leader. But it also suggests that he decided to take the team a step further outside university. Additionally, we pinpointed another domain registered by YIN Luxing – tr0jan[.]top – with details concerning the Chinese province of the registrant... Heilongjiang. Besides, tr0jan[.]top recalls the hyperlink mentioned above in the “friends” section of the blog of the CTF team.


Extract from the WHOIS record of the domain birkenwald[.]cn.

We were not able to pivot on the registrant email address ylx294491090[at]163[.]com

Extract from the WHOIS record of the domain tr0jan[.]top

Finally, we had a look at the website tr0jan[.]top, which is also a blog about CTF and publications about cybersecurity topics.

Apart from CTFs, the university organizes competitions with cyber institutions and companies.
In September 2023, HRBUST organized a cybersecurity competition with the Heilongjiang Center of the CNCERT (China National Cyber Emergency Response Team), the Heilongjiang Party Committee Bureau for Cybersecurity and Informatization, Heilongjiang Public Security Department and the DAS Security company (杭州安愃信息技术股份有限公司). The latter cooperates with the Ministry of Public Security, the Office of the Central Cyberspace Affairs Commission (中央网络安全和信息化委员会办公室) and the Hong Kong and Macao Affairs Office of the State Council (国务院港澳事务办公室).
Also, the event main objective was to identify and groom talents [23].

Furthermore, HRBUST allows a few students to temporarily join the military during their time at university, and according to the 2023 report, one of the students belonged to the Computer Science and Technology Institute.

Going Further

So we know that HE Qile may have entered the Harbin University of Science and Technology (HRBUST) in 2016 and that in 2017, HE (aka include_heqile aka wochinijiamile) was still studying at HRBUST.

                              

Figure 14: Photo of YIN Luxing's personal presentation on the HRBUST University website.

In 2023, YIN Luxing was a post-graduate student at the Computer Science and Technology Institute (计算机科学与技术学院) of the Harbin University of Science and Technology, a student that was exempted from exams [24]. In other words, he went to the same university HE Qile was going to.

Even though HE Qile should be a bit older than YIN Luxing, they may have met during their time at the university as they shared the same interest in CTF challenges.

We also know that YIN Luxing and two of his friends, WANG Jiyuan (王纪元) and HU Zhenhuang (胡振煌), took part as a team (Birkenwald) in a cybersecurity challenge organized by the Heilongjiang Province in 2022 and won the first prize [25].

Figure 15: Screenshot of the list of students exempted from exams.

YIN Luxing is even more interesting since he is a Party member and has a military experience that he underlines in a small presentation he wrote about himself on the university website .The final touch being that the guy founded the company Jinan Espico Information Technology (“济南艾斯皮克信息科技有限公司”) in November 2022 with a capital of 100 000 RMB. It was registered under the social credit number 91370100MAC47R2M73. He owns 30% of the company’s share and has the “controller” position. The actual CEO is another person called ZHANG Guorong (张国荣) who also owns 40% of the shares. YIN Luxing’s friend WANG Jiyuan from the Birkenwald Team probably owns the other 30% of the company.The company’s name refers to the capital of the Shandong Province, Jinan, which could imply a shift in location on YIN Luxing’s part.

Conclusion

What do we have so far? Let’s rewind and try to get the big picture. Based on Positive Technologies article we started our investigation on “wochinijiamile”. Following this lead, we collected another nickname “include_heqile” and several accounts all sharing the same interest about cybersecurity topics until we identified this Harbin University of Science and Technology student: HE Qile.

As it is, we could shape the contours of a possible nexus of a cybersecurity experts' reservoir which may have a link with the cybercriminal group Space Pirates. This is not the first-time cyber security researchers encounter this type of relationship between individuals, universities, and possibly cyber criminals' groups. We wish this investigation contributes to a better comprehension of the Chinese cyber ecosystem.

This is a work in progress, and we hope we’ll be able to offer you more info about this mysterious HE Qile and her or his whereabouts.

Annexes

Indicators: accounts and identifiers - Name & Related ite

 

NOTE DE BAS DE PAGES

[1] https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-tools-and-connections/
; https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/

[2] hxxps://blog.csdn[.]net/ma_de_hao_mei_le; CSDN is a Chinese platform for sharing content, publishing articles and blogposts.

[3] hxxps://blog.csdn[.]net/ma_de_hao_mei_le?type=blog ; CSDN is a Chinese platform for sharing contents, publishing or sharing article and blogposts.  

[4] hxxps://github[.]com/wqreytuk

[5] hxxps://wochinijiamile.blog.csdn[.]net/

[6] hxxps://bbs.kanxue[.]com/homepage-953537.htm

[7] hxxps://space.bilibili[.]com/245095958

[8] hxxps://www.bilibili[.]com/video/BV1Fx4y197m7/

[9] hxxps://gitee.com/wochinijiamile

[10] hxxps://blog.51[.]com/144dotone

[11] hxxps://blog.51cto[.]com/144dotone/4941666

[12] hxxps://www.wechall[.]net/ranking/page-448

[13] hxxps://ctftime[.]org/stats/2018

[14] hxxps://mp.weixin[.]qq.com/s__biz=MzI1MTMwOTc0Mw==&mid=2247484754&idx=2&sn=52026d444aee35a843bab9f8c0c7fe
71&chksm=e9f5be92de823784c5371b588f5927465721b0b723f29ba736d24841225604cae328b1cccfc2&scene=27

[15] hxxps://www.shangcai.gov[.]cn/web/front/news/news.php

[16] hxxps://www.shangcai.gov[.]cn/web/front/news/news.php?itemscode=214

[17] hxxps://www.chinahlj[.]cn/news/520163.html

[18] hxxps://m.weibo[.]cn/detail/4812936789102680

[19] hxxps://m.weibo[.]cn/detail/4812945656383689

[20] Ibid.

[21] hxxps://m.weibo[.]cn/detail/4812939716465332

[22] hxxps://m.weibo[.]cn/detail/4812939716465332 ; hxxp://graduate.hrbust.edu[.]cn/_upload/article/files/04/c3/8ded0bdf416e96cd7343bd89b9b0/0da23d46-efa3-49e8-9ec7-635c7d68d494.pdf

[23] hxxps://baijiahao.baidu[.]com/; hxxp://hrbust.edu[.]cn/info/1360/23342.htm

[24] hxxp://jwzx.hrbust.edu[.]cn/homepage/infoSingleArticle.do

[25] hxxps://www.hlj.gov[.]cn/hlj/c107856/202209/c00_31368706.shtml

[26] hxxp://jiuye.hrbust.edu[.]cn/jyxf/1531.jhtml

Partager l'article :

Your OWN cyber expert.