In previous articles we identified Jinan Quanxin Fangyuan Technology Co. Ltd. ( 济南全欣方沅科技有限公司), Jinan Anchuang Information Technology Co. Ltd. (济南安创信息科技有限公司), Jinan Fanglang Information Technology Co. Ltd. (济南方朗信息科技有限公司) and RealSOI Computer Network Technology Co. Ltd. (瑞索计算机网络科技有限公司) as companies associated with Guo Lin (郭林), a likely MSS Officer in Jinan.

We also identified two hackers from Jinan – Wang Qingwei (王庆卫), the representative of the Jinan Fanglang company and Zeng Xiaoyong (曾小勇) the individual behind the online profile ‘envymask’.

ZoxRPC

The Chinese variant of MS08-067 is particularly interesting because it forms part of a hacking tool frequently used by Chinese APT groups called ZoxRPC. This report from Novetta details ZoxRPC’s incorporation in its code of specific memory addresses from the port of MS08-067 to Chinese operating systems (for which envymask takes responsibility).

That is to say, Zeng’s code is used in ZoxRPC.

15-ZoxRPC
Novetta report on ZoxRPC evolution

If there were any doubt that it was envymask’s code used in ZoxRPC, have a look at the code found on pudn[.]com and you will see that it says: ‘MS08-067 Exploit for CN by EMM@ph4nt0m.org’.

20-emm code
MS08-067 for China written by envymask aka EMM

ZoxPNG

In a timeline analysis, the Novetta report identifies that ZoxRPC was evolved from code dating back to 2002 and was eventually released in 2008. It was then further developed into a new tool called ZoxPNG in 2013.

16-Zox strings
Novetta timeline analysis

A PwC presentation given at the Kaspersky Security Analyst Summit in 2015 showed that Chinese hacker Zhang Peng (张鹏) aka ‘missll’ was the author of the newer ZoxPNG variant.

17-PWC Zox
PwC presentation on ZoxPNG

APT17

As FireEye noted in their ‘Hide and Seek’ report, ZoxPNG is also known as BLACKCOFFEE. And as V3 showed in their blog article, APT17 aka DeputyDog used BLACKCOFFEE malware as a key part of multiple campaigns.

18-DDog
V3 blog article on APT17 using BLACKCOFFEE malware

So Zeng wrote the MS08-067 code in ZoxRPC.

And Zhang Peng aka missll evolved it into the APT17 tool ZoxPNG aka BLACKCOFFEE.

Where was Zhang Peng from? Jinan, China.

19-missll's early days
PWC presentation on missll

In summary:

Either, one of the authors of code in APT17’s primary malware just happens to be associated with a series of Cyber Security outfits that claim the MSS as their clients and are coincidentally managed by an MSS Officer.

Or, MSS Officer Guo Lin of the Jinan bureau of the Ministry of State Security manages APT17.

#thereismore…