i-S00N - Leaked Documents Reveal Chinese Spyware Vendor's Capabilities

layer8 | Feb 19, 2024 min read

A recent leak of internal documents GitHub from a Chinese spyware vendor has exposed the extent of their capabilities and products. The documents, which were posted on GitHub by an unknown source, reveal a range of spyware tools that target various platforms, including Windows, Mac, Linux, iOS, Android, and even WiFi devices.

Key Highlights

The spyware vendor, identified as 安洵信息 (Anxun Information), claims to be a contractor for the Chinese government and offers solutions for espionage, surveillance, and cyberattacks. Some of the products they developed include:

  • Security System: A custom RAT (Remote Access Trojan) that can monitor and control Windows and Mac devices, with features such as keylogging, file access logging, remote shell, and publishing tweets on behalf of the user.
  • Hector: An active RAT that supports HTTP/WebSocket and HTTPS/WS over TLS, and can interact with Linux devices via remote shell and file management.
  • WiFi Near Field Attack System: A device that can inject spyware into Android devices via WiFi, and access their GPS, SMS, contacts, call logs, files, and real-time audio recording.
  • WiFi Tracking and Disruption Device: A device that can track down WiFi devices by their MAC address, and disrupt WiFi signals. It can also be controlled with a dedicated smartphone app.
  • Tor-like Device: A device that can hop between endpoints to evade detection and provide anonymity for agents working overseas.
  • Skywalker Data Research Platform: A platform that can look up information related to any keyword, such as phone number, email, username, etc. and retrieve their real-life details from various social media platforms, including QQ, WeChat, Weibo, Facebook, and Twitter.
  • Email Text Search Platform: A platform that can import and search emails from various protocols, including SMTP, POP3, iMAP, and Exchange. It can also configure non-plaintext transfer during transport to avoid encryption.
  • Automatic Pentesting System: A system that can perform pentesting on various targets, including Windows, Linux, web services, and networking equipment. It can also generate and execute APT attack scenarios, such as email phishing, browser-based attacks, and exploited Office document generation.
  • DDoS System: A system that can deploy a botnet client on Windows, Linux, or IoT devices, and launch DDoS attacks with a total throughput of 10~100Gbps.
  • CTF Platform: A platform that can host and manage a KoTH (King of the Hill) style CTF (Capture the Flag) competition for training offsec employees.

The leaked documents also contain screenshots, manuals, and code snippets of the products, as well as low-res images of various WeChat logs and random notes. The authenticity and origin of the documents are still unknown, but they provide a limited glimpse into the world of Chinese spyware development and deployment.