DoubleGuns Akimbo: China’s Own Share of Malware Botnets

May 29, 2020

China has its fair share of malware attacks too even though we do not get to hear of it often. Recently, the DoubleGuns trojan grabbed the top spot in China’s list of botnets.

What happened

DoubleGuns is a malware trojan that has been making the rounds since 2017 and since the last three years, there have been no major changes despite the growing operation scale. The malware is primarily propagated through boobytrapped apps shared on Chinese websites. However, Qihoo 360 teamed up with Baidu to put a halt to the botnet’s operations.

IoC Correlation

  • Almost all domain names are associated with only two IP addresses - 125[.]124[.]255[.]20 and 125[.]124[.]255[.]79.
  • DoubleGuns gang has a long-term and stable control of a huge number of 125[.]124[.]255[.]0/24 IP addresses and their network resources are rich. 
  • The infection propagates on a large scale and induces users to install online games containing malware. 

Worth noting

  • For the past three years, the malware gang has been using steganography and downloading images from the Tieba service.
  • The estimated number of infected computers stands at “hundreds of thousands” although Baidu and Qihoo have been taking down images used by the threat actors.

In essence

Since its inception, the malware group has been frequently exposed by security researchers, but it comes back stronger every time. This signifies that the distribution channel of DoubleGuns is vast. The disruption created by Qihoo and Baidu maybe temporary as the other elements of the botnet’s infrastructure are still in operation.

Read the original article and additional information at Cyware Social