231.txt

1 Overview

In the past four years, Antian engineers have observed that Chinese organizations and users have repeatedly encountered cyber intrusion attempts originating from the "southwest direction." Although these attacks involved some concealment and disguise, we can still trace them back to their origin — a country in the South Asian subcontinent. Despite our proactive efforts to remind and assist our clients in improving defenses, and our cautious and limited disclosure of information and warnings, these attacks have not abated. On the contrary, they have resurged with greater capabilities.

This report by Antian discloses two groups of high-frequency attack incidents. Although we have not yet definitively determined the internal relationship between these two waves of attacks, it is certain that they share similar objectives and the same national background. We collectively refer to these two attack groups as the "Operation White Elephant."

1.1 Overview of the First Wave of Attacks

From 2012 to 2013, Antian successively captured multiple payload deployments from the White Elephant organization. Later, through correlation and homology analysis, hundreds of samples were found, most targeting Pakistan, with a few aimed at Chinese higher education institutions and other organizations. In July 2013, the security vendor Norman published a report naming this attack HangOver.[1]

Antian's technical lead disclosed the attacks targeting China captured by Antian in an article titled "Current Status, Challenges, and Improvements of Antivirus Methods" published in the April 2014 issue of the Communications of the Computer Society.[2]

"From March 2012 onwards, we have successively captured some related samples of this incident. These samples correspond to very rare network events with highly targeted characteristics." The article disclosed six related sample hashes and the attacked targets—two Chinese universities. At the 2014 China Internet Security Conference, Antian publicly disclosed the incident comprehensively for the first time in a report titled "Measurement of APT Incident Sample Sets."[3] In August 2014, Antian completed the report "The Dance of the White Elephant—Review of HangOver Attacks and Partial Sample Analysis,"[4] giving this attacking organization the Chinese name "White Elephant."

To distinguish two different waves of attacks, we refer to the highly active group during 2012–2013 in this report as "White Elephant Generation One." "White Elephant Generation One" deployed nearly a thousand PE samples with different hashes and used over 500 C&C domain addresses. Its developers were numerous and of mixed skill levels, with samples developed and compiled in various environments such as VC, VB, .net, and AutoIt. It did not use complex encryption algorithms, nor were any 0day or 1day exploits discovered. Instead, it mostly employed simple social engineering techniques, which some Chinese security researchers call "random EXE throwing"—spear phishing attacks. PE evasion was the main technique used by this group, which explains the large number of PE payloads. At the June 16, 2015 China Antivirus Conference, Antian presented a technical report titled "A2PT and 'Quasi-APT' Incident Attack Weapons,"[5] categorizing these attacks as lightweight APT attacks.

1.2 Overview of the Second Wave of Attacks

Following the first wave, payloads with related genetic characteristics began to decline, with activity noticeably dropping in 2014. By the end of 2015, Antian observed a resurgence of attacks from the "southwest direction." Through continuous tracking, it was found that the main targets remained China and Pakistan. Analysis of Antian's monitoring and early warning systems showed that Chinese targets were mainly in the education, military, and research sectors.

The second wave abandoned the chaotic attack methods of "White Elephant Generation One," presenting a more "standardized" and "procedural" overall attack operation. The second wave widely used spear phishing emails crafted with advanced social engineering skills for targeted delivery, exploiting at least three vulnerabilities: CVE-2012-0158, CVE-2014-4114, and CVE-2015-1641. Instead of simple attachments, it shifted to download links at the propagation layer, and some exploitations used anti-detection techniques. The number of payload hashes dropped significantly, including payloads developed using AutoIt scripts and ShellCode suspected to be generated by the commercial attack platform MSF. A clearer command system for remote control was preliminarily established.

We call this group of attacks "White Elephant Generation Two." There is no evidence of personnel overlap between Generation One and Generation Two. Overall, Generation Two's technical means are more advanced, and the improved overall attack coherence and technical capabilities may increase success rates. Its more violent and brutal deployment methods have led to much more frequent attacks and wider impact than Generation One.

Compared to Generation One, the technical level of "White Elephant Generation Two" has qualitatively improved, better fitting some researchers' "technical definition" of APT attacks. However, Antian stresses that the "A" (Advanced) in APT is relative; whether an attack is called APT mainly depends on the initiator, motivation, and intent, not solely on technical level. Both the lightweight Generation One and the more sophisticated Generation Two attacks pose serious threats to China’s large information systems, especially civilian institutions such as universities.

2 White Elephant Generation One — Analysis of HangOver Samples, Targets, and Origins

2.1 Overview

The earliest payloads related to this campaign obtained by Antian in 2012 were buried among massive other security events and were not initially identified as APT attacks. Thanks to the July 2013 report by the security vendor Norman titled "OPERATION HANGOVER | Executive Summary — Unveiling an Indian Cyberattack Infrastructure,"[1] which named the event HangOver after the original project name "HangOve" found during analysis, Antian recognized this campaign as "White Elephant Generation One." This prompted Antian to reconsider the previous overemphasis on attack techniques and exploit use when detecting and tracking APTs, adopting new perspectives and methods for monitoring attacks from neighboring countries against China.

Antian believes the "White Elephant Generation One" group had many members with varying skills and a mixed development environment. Using the Antian backend analysis platform, 910 related samples were identified. The modules included keylogging, downloader, information theft, etc. The latest version identified is HangOver 1.5.7 (Startup). Analysis indicated the group targeted Chinese universities and other targets.

2.2 Sample and Resource Analysis

Antian CERT researchers developed four association methods (Method A~D) for compiling binary files, performing vector comparison and correlation of static and dynamic sample features on the entire sample set. After extracting candidate samples, code structure comparison was conducted to filter false positives, discovering more samples beyond those already identified by others.

Among these, there were 29 samples compiled by AutoIt, 189 by VB, and 127 by VC.

Note: AutoIt is a scripting language for automation; scripts can be compiled into compressed standalone executables that run on Windows like other PE files.

Antian CERT also mapped the geographic locations of C&C IPs used by samples:

Comparison of timestamps and compiler data shows most samples were compiled between the second half of 2010 and the second half of 2011; fewer were compiled in the first half of 2010 (start phase); activity declined from the first half of 2012 (closing phase).

Note: Delphi-compiled samples were excluded due to timestamp analysis providing insufficient value.

2.3 Attacks on Targets within China

2.3.1 Samples and Incidents

Antian disclosed six samples related to attacks on two Chinese universities in an April 2014 article:

Capture Date	Sample Hash	Sample ID
2012-08-10	0D466E84B10D61031A62AFFCFFF6E31A	Sample 1
2012-10-21	734E552FE9FFD1FFDEA3434C62DD2E4B	Sample 2
2012-07-24	9A20F6F4CDDEABC97ED46AEE05AC7A50	Sample 3
2012-07-06	CE00250552A1F913849E27851BC7CF0A	Sample 4
2012-09-24	DE81F0BDBD0EF134525BCE20B05ED664	Sample 5
2012-08-01	F37DD92EF4D0B7D07A4FBDCD9329D33B	Sample 6

Timeline of these six samples targeting two Chinese universities:

Visualization of payload deployment attacks and data control geographic scenarios against Chinese universities:

2.3.2 Sample Details and Operational Techniques

At least six samples were used in the attacks, compiled with different compilers (including versions). Four samples were unpacked; two used UPX packing.

Table 2-1: Introduction of six "White Elephant Generation One" samples

Sample	Packing	Compiler	Main Behavior	Callback Address
Sample 1	None	Microsoft Visual Basic 5.0/6.0	Releases a VBScript that connects to remote server zolipas.info (domain inactive)	http://zolipas.info/advd
Sample 2	None	Microsoft Visual Studio .NET 2005–2008	Sets file to run at startup, records keystrokes, uploads data	http://linkspectra.com/k1.php
Sample 3	UPX	Dev-C++ 4.9.9.2	Creates log.txt recording keystrokes, window titles, browser search terms, and username	N/A
Sample 4	UPX	Microsoft Visual C++ 7.0	Attempts to create csetup32.dll (failed); linked domain for additional malware download inactive	http://secureplanning.net/download/logo2.jpg
Sample 5	None	Microsoft Visual Studio .NET 2005–2008	Creates ntusr1.ini logging window titles; uploads log.txt from Sample 3	http://periodtable.eu/starx.php
Sample 6	None	Dev-C++ 4.9.9.2	Creates logFile.txt collecting document file names	N/A

Five samples were deployed to the same target and exhibit modular cooperative operation. Sample 4 is the initial delivery sample with downloader capability; Sample 3 collects host information into log files; Sample 5 uploads data; Sample 6 collects document metadata; Sample 2 acts as a keylogger.

Comparing antivirus engine detections at capture and after Norman’s exposure shows the group used some evasion techniques.

2.4 Typical Component Analysis in Samples

The "White Elephant Generation One" sample set includes multiple functional components:

Component Name	Function
Keylogger	Keyboard logging
Downloader	Download payloads
Uploader	Upload data
HTTP backup	Upload via HTTP
FTP backup	Upload via FTP
USB Propagator	USB infection spread
Mail Password Decryptor	Email password decryption

Due to report length limits, only the data theft component is analyzed here. Its main function is to scan disks for sensitive files (by specified extensions), collect host information, and upload the data to attacker-controlled servers.

2.4.1 Sample Labels

Virus Name: Trojan/Win32.Uploader
Original Filename: Hangover1.5.9.exe
MD5: 0e9e46d068fea834e12b2226cc8969fd
Processor Architecture: X86-32
File Size: 28,9208 Bytes
File Format: BinExecute/Microsoft.EXE[:X86]
Timestamp: 2012-09-13 13:09:03
Compiled Language: Microsoft Visual C++

2.4.2 Function Description

Traverse disk files, upload sensitive files and host information to the server;

Add startup entries;

Traverse sensitive files (.doc;.docx;.xls;.ppt;.pps;.pptx;.xlsx;.pdf);

Upload files to the server;

Generate upload file list;

Rename files in a standardized way before uploading;

Obtain computer host information;

Add startup entries in the current user and all users startup folders.

2.4.3 Function Analysis

This sample traverses user disk files and uploads files with specified extensions:

.doc;.docx;.xls;.ppt;.pps;.pptx;.xlsx;.pdf

For each acquired file, before uploading, it obtains the file time, converts it to a standard time format, and combines it with the original filename to form a new name, which is used as the upload filename. The main function code is as follows:

After obtaining all files with the specified extensions from the victim host, the sample sends them back to the designated server. The main process for uploading is as follows:

2.5 Analysis of Attack Source and Targets

2.5.1 Analysis of Other Samples Targeting China in the Sample Set

Table 2-2 Sample Labels

Virus Name: Trojan/BAT.Zapchast.at
Original Filename: Unknown
MD5: 13107B9455561E680FE8C3B9B1E8BC37
Processor Architecture: X86-32
File Size: 29,4905 Bytes
File Format: ZIP
Timestamp: 2011-05-28 16:04:38
Digital Signature: None
Packing Type: ZIP SFX
Compiled Language: Microsoft Visual C++ 6.0
VT Scan Result: 40 / 51

The sample disguises itself with a PDF icon, after execution it spawns multiple files into system directories and runs them, while displaying an image (see Figure 2-12). The image is a Chinese court judgment document, used to deceive users. The spawned files add registry startup entries, record user keystrokes, and send the logs back to a remote server.

Files spawned after sample execution:

MD5	E92F739FE39E22002FE3A824084DD95B	01CDA08113796A78702843A414F477C4	FC368AEF6E1293295EE26F6360B9CF9C	0181DE2B2E2F1695DBBFBE9A59F5C96E	68E8AD38E9E61504A46DEAE00EC7C141
Path	%WINDOWS%\windowss\	%WINDOWS%\windowss\	%WINDOWS%\windowss\	%WINDOWS%\windowss\	%WINDOWS%\windowss\
Filename	spoolsv.exe	ssmss.exe	test.vbs	start1.bat	court_notice.jpg
Type	PE	VBS Script	Batch Script	Batch Script	Image
Function	Keylogging	Send logs	Execute start1.bat	Start PE file	Display to user

From the table above, the main malicious files are spoolsv.exe and ssmss.exe. Below is a brief analysis of these two files.

Spoolsv.exe Analysis:

Upon execution, the sample decrypts internal configuration data, with two decryption functions:

Decryption 1: Decrypts some registry startup key values, filenames, and monitored window names, using a simple ASCII minus one algorithm.

Decryption 2: Decrypts dynamically loaded DLL names and functions.

Uses CMD commands to add registry startup entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run:InternetDownloadServices

C:\WINDOWS\windowss\spoolsv.exe

Creates event object Global{9A8FEAD9-92E9-3F1AD79150C2}, uses registered window to execute malicious code;

Records user window names and keyboard input, especially subwindows of Internet Explorer and Mozilla Firefox, to log URL addresses; recorded content is written to sonic.ax;

Every 100 records, copies sonic.ax to sonic1.ax for ssmss.exe usage.

Ssmss.exe Analysis:

Creates event object Global{D91AD7DF91-92E9-9A8FEA3F50CRC254}, retrieves computer name;

Uses CMD command to add registry startup entry:

reg add HKCU\Software\Microsoft\Windows\Currentversion\run /v WindowsFirewallSecurityServ /t REG_SZ /d "C:\Documents and Settings*\Desktop\ssmss.exe" /f

Loops reading sonic1.ax content and sends it to URL: ***rtdesk.com/test00.php;

Deletes sonic1.ax after sending.

C&C Information:

***rtdesk.com/test00.php ***.91.197.101 United States

2.5.2 Timestamp and Timezone Analysis of Sample Set

The sample timestamp is a hexadecimal value stored in the PE file header. This value is generally automatically generated by the compiler when the developer creates the executable file. The unit is seconds, and it can usually be considered the sample generation time (GMT time).

Timestamp analysis requires collecting all available executable timestamps, excluding early or obviously tampered timestamps, then grouping and counting them by specific criteria, such as day of the week or hour, and presenting the results graphically. The figure below shows the results grouped by hour:

From the above statistics, assuming the attacker’s working hours are from 8 or 9 AM to 5 or 6 PM, the working hours correspond to attackers in a UTC+4 or UTC+5 timezone.

Based on the matched attacker timezone (UTC+4 or UTC+5), and by comparing the world timezone distribution map, one can infer the possible attacker’s region or country.

UTC+4: United Arab Emirates, Oman, Mauritius, Réunion (France), Seychelles, Tbilisi, Armenia, Azerbaijan, Afghanistan, Abu Dhabi.
UTC+5: Pakistan, Maldives, Yekaterinburg, Uzbekistan, Turkmenistan, Tajikistan, Sri Lanka, India.

2.5.3 Attack Group Analysis

We further synthesized clues about this attack group based on publicly available internet information and created a profile. We believe this is an attack group composed of 10–16 people. Six user IDs identified are cr01nk, neeru rana, andrew, Yash, Ita nagar, and Naga.

3 Bai Xiang Second Generation — Victims, Vulnerabilities, and Capabilities

3.1 Overview

Starting in the second half of 2015, the "Bai Xiang Second Generation" attacks differed greatly from the "Bai Xiang First Generation." They began to exploit CVE-2014-4114 [6], CVE-2015-1641, and other vulnerabilities as attack payloads, no longer directly delivering EXE files in attachments. Instead, they used "social engineering phishing emails + links" methods. The number of PE payloads also significantly decreased.

3.1.1 Time Chain

According to the information aggregated by the Antian Monitoring and Early Warning Platform, the main targets of the "White Elephant 2.0" attacks are China and Pakistan. China has experienced a very wide attack surface, with "White Elephant 2.0" launching numerous attack incidents against China. Since 2016, we have continuously tracked this organization.

3.1.2 Victims

The "White Elephant 2.0" organization mainly targets the education, military, and scientific research sectors in China.

3.2 Attack Analysis

The "White Elephant 2.0" organization mainly attacks via spear-phishing emails. Most emails attack by inserting malicious links, using carefully crafted bait content to induce victims to open the link. Once opened, the malicious link downloads a vulnerability-exploiting malicious document.

Among the documents we captured, most use PPS files exploiting CVE-2014-4114 vulnerability, with a small number using RTF files exploiting CVE-2015-1641 vulnerability.

3.3 Spear-Phishing Attacks

Spear-phishing attacks are the most common type of APT attack. Unlike ordinary phishing emails, spear-phishing attacks do not send malicious emails in bulk but launch targeted attacks against specific members of companies or organizations. The attack techniques are divided into two types:

Embedding malicious attachments in emails to lure victims into opening the attachments;

Embedding malicious links in the email body to lure victims into clicking the links. Once clicked, the victim is redirected to a malicious link, which may be a compromised website or a malicious file download location.

In this campaign, the "White Elephant 2.0" organization mainly uses the second method because it does not include attachments in emails, making it easier to bypass security software detection. Compared to attachments, links are easier to gain user trust. The links in the emails use third-party domain name redirections, mostly with domains such as .

3.3.1 Case 1: Spear-Phishing Email Targeting Chinese University Professors

This is a spear-phishing email targeting Chinese university professors. The email body discusses the South China Sea issue and at the end induces victims to click a link to view the "full report." Once clicked, a malicious document is downloaded. This document exploits the CVE-2014-4114 vulnerability and uses the PPS format's auto-play feature to trigger the vulnerability when the document is opened.

The email content summary:

Relations between China and Southeast Asia:
China’s South China Sea, with more tension and challenges (May 2016 report)

At the beginning of 2016, multiple countries focused on the China South China Sea dispute. Several countries led by the US strongly condemned China, and China strongly condemned US actions and military deployments.

Beijing remains determined to resolve disputed issues, especially as President Xi Jinping stated in September 2015 that China does not intend to militarize the South China Sea. Tensions have not spread, and increasing US-China meetings show Southeast Asian governments that Washington and Beijing are not seeking confrontation. Against this backdrop, these governments' responses to China's challenges to its South China Sea rights remain measured. In the past, they often showed less confidence facing China, exhibited some criticisms of China, became more willing to block China, and sought closer ties with the US...

3.3.2 Case 2: Spear-Phishing Email Targeting Domestic Research Institutions

This is another spear-phishing email targeting domestic research institutions. It uses a scanned image of a document labeled TOP SECRET as the email body to lure victims into clicking the "top secret report" link below. Once clicked, a malicious document is downloaded. The document exploits CVE-2014-4114 and uses the PPS format auto-play feature to trigger the vulnerability when opened.

The email content summary in Chinese:

Our Defense Minister
Item 1.
Contr Nr: X-0850
Date: February 20, 1969
Document, Subject & Content: A note from the Defense Minister to the President: Okinawa base and troops. Response to questions raised at the January 27 meeting. Note these are Joint Chiefs of Staff responses; the Defense Ministry will provide clear policy through ongoing NSC research. Thus, the Defense Minister's views are not provided. Questions include the scale of Okinawa forces, reasons for presence, future base needs, etc. Attachment: Defense Minister noted transfer from Joint Chiefs Chairman to President and pointed out ISA has not commented.
Item 2.
Contr Nr: X-1383
Date: May 19, 1969
Document, Subject & Content: Note from Defense Minister to Joint Chiefs Chairman: Degradation of nuclear capabilities - at Ryukyu base and reserves...

3.3.3 Case 3: Spear-Phishing Email Targeting Chinese Military Enthusiasts

This is a military-related phishing email targeting Chinese military enthusiasts. Similarly, a link is embedded in the body, pointing to a malicious document. This document is a Word document using a different vulnerability from the previous PPS cases. It is an RTF format document with a .doc extension, exploiting CVE-2015-1641.

3.4 Related Bait Files

The "White Elephant 2.0" organization mainly uses PPS (PowerPoint auto-play format) and RTF format documents with Word extensions as bait files. Most captured samples are military-related bait files.

3.5 Vulnerability Exploitation

Currently monitored by Antian, the vulnerabilities used by the "White Elephant 2.0" organization are all known Office format document vulnerabilities. Some samples use certain techniques to evade detection by security software, which, based on our historical scan results, are effective.

3.5.1 Sample Tag

Virus Name: Trojan[Exploit]/Win32.CVE-2014-4114
Original File Name: 2016_China_Military_PowerReport.pps
MD5: F0D9616065D96CFCBB614CE99DD8AD86
File Size: 12,801,024 bytes
File Format: Document/Microsoft.PPS
Last Archive Time: 2016-05-18 05:24:54

3.5.2 CVE-2014-4114

While tracking the "Sandworm" attack group, we conducted a long-term analysis of the CVE-2014-4114 vulnerability [6]. Its key feature is that, although relying on document formats, it does not rely on format overflow but achieves remote code execution, thus bypassing Windows DEP and ASLR mechanisms.

The "White Elephant" attack uses PPS extension samples exploiting the Windows OLE remote code execution vulnerability CVE-2014-4114 to drop and execute executable files. Notably, most 4114 samples from other groups we analyzed previously are Office high-version formats, which are XML-indexed compressed packages containing embedded PE payloads detected by antivirus during recursive decompression.

However, this time, the "White Elephant 2.0" group used the older Office traditional LAOLA format. For security vendors, this is an "unpublished format," achieving certain evasion effects. Figure 3-14 shows multi-engine scan results, indicating that this sample evaded most security software detection.

Note: The LAOLA file format is Microsoft’s early Office version custom "Compound File Binary Format." Microsoft has not published this format. Traditional antivirus vendors have reverse-engineered it to handle macro viruses effectively, but it poses challenges to many new security vendors.

3.5.3 Others

Besides the above vulnerabilities, the group also used a small number of files exploiting CVE-2015-1761 and CVE-2012-0158 vulnerabilities. Both payloads target Word. The attackers did not apply evasion techniques for these two vulnerabilities and basically used publicly available exploit codes online. Therefore, existing antivirus engines have relatively high detection rates for these files.

3.6 Functional Sample Situation

From the currently captured samples, the PE payload samples used by the "White Elephant 2.0" group are of low technical level, lacking complex modular systems and encryption or anti-analysis mechanisms. Some samples are written in scripting languages, and others are recompiled versions of publicly available code.

3.6.1 Data Theft Module

Sample tag:

Virus Name: Trojan/Win32.AutoIt
Original File Name: sysvolinfo.exe
MD5: A4FB5A6765CB8A30A8393D608C39D9F7
Processor Architecture: X86-32
File Size: 11,659,903 bytes
File Format: BinExecute/Microsoft.EXE[:X64]
Timestamp: 2016-05-13 07:55:20
Digital Signature: NO
Packing Type: None
Compiled Language: AutoIt

Among the attack samples used by "White Elephant 2.0," multiple samples were written in AutoIt, primarily used to steal data and package it back to a remote server. Specific functions include:

Reporting system basic information, including system version, architecture, whether Chrome is installed, sample version info, etc.;

$postdata = "ddager=" & $regstat & "&r1=" & b64encode(@OSVersion) & "&r2=" & b64encode(@OSArch) & "&r3=" & b64encode($p_ver) & "&r4=" & b64encode($emorhc) & "&r5=" & b64encode($cmdout) & "&r6=" & b64encode($admin)

Remote control capabilities to perform different operations based on remote server instructions. The instruction set design is relatively crude, as shown below:

Branch	Corresponding Function
1	Output debug info and reconnect to C&C after 1 second delay.
2	Use PowerShell for privilege escalation and execute received PowerShell commands. Instruction number 2.
3	Modify $stat flag value.
4	Exit.
5	Collect website usernames and passwords recorded in Chrome browser. Instruction number 5.
6	Use PowerShell to download and run new malicious programs. Instruction number 6.
7	Use AutoIt's built-in functions to download and run new malicious programs. Instruction number 7.
8	Execute CMD commands in hidden mode and record command output data.

Collect various document files on the computer, rename them using MD5, package them, and then upload them to the C&C. The extension name comparison between "White Elephant Generation 1" and "White Elephant Generation 2" is as follows:

White Elephant Generation 1
*.doc *.docx *.xls *.ppt *.pps *.pptx *.xlsx *.pdf

White Elephant Generation 2
*.doc *.docx *.xls *.ppt *.pptx *.xlsx *.pdf *.csv *.pst *.jpeg

Release the program cup.exe, and call it with the path of the packaged files as a parameter. The main function of cup.exe is to send back the stolen files.

3.6.2 ShellCode Remote Control Module

Sample labels are as follows:

Virus Name	Trojan[Exploit]/Win32.ShellCode
Original File Name	sysvolinfo.exe
MD5	465DE3DB14158005EDE000F7C0F16EFE
Processor Architecture	X86
File Size	10,536,063 bytes
File Format	BinExecute/Microsoft.EXE[:X86]
Timestamp	2016-05-16 13:35:59
Digital Signature	None
Packing Type	None
Compilation Language	Microsoft Visual C# / Basic .NET

The sample is compiled using Microsoft Visual C#. Its function is to use ShellCode to connect to a remote server, receive ShellCode, and execute it. Its function is simple, and the sample is not obfuscated; the plaintext code can be seen through decompilation. We can find this fragment in the ShellCode generated by the commercial attack platform MSF. However, because this method is too general, we cannot currently conclude that the "White Elephant" organization uses the MSF platform.

After the sample receives the ShellCode from the server and completes self-decryption, it interacts with the server, receives instructions, executes them, and returns the results to the server. Figure 3-19 shows the sample’s running flow:

3.7 C&C Analysis

In this operation, vulnerability samples were all downloaded via URLs, while the released stolen data and remote control samples’ C&C mostly use hardcoded IP addresses. Figure 3-20 shows some domain names, IP addresses, PE files, and Office files relationships used by the "White Elephant Generation 2" organization:

3.8 Hiding and Tracking

3.8.1 Third-party Email Services

Through the analysis of some attack emails, we found that the organization sends emails via third-party email service providers in bulk. In the original email data, only information about the email service provider is present. Attackers use this technique to some extent to hide their IP addresses.

3.8.2 Compromised Websites

In Antian’s tracking analysis, it was discovered that some C&C addresses of this organization are normal websites. After analysis, we believe the organization might have compromised these websites and placed their own C&C service control code on their servers to hide their IP information. At the same time, this method causes security software to regard the connection as a normal website, which will not trigger security alerts.
GET /UAV/ HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; MSOffice 12)
Accept-Encoding: gzip, deflate
Host: www.***gdeals.com
Connection: Keep-Alive
GET /facilities/welfare2/news HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; MSOffice 12)
Accept-Encoding: gzip, deflate
Host:

3.8.3 Background and Source-related Information

Based on existing resources, it can be analyzed that a developer ID in the "White Elephant Generation 2" organization is "Kanishk." Searching on Wikipedia reveals a similar word "Kanishka," which is a Sanskrit transliteration, translated in Chinese as “迦腻色迦” (Jianisika). Kanishka was the ruler of the Kushan Empire, which mainly controlled the Indus River valley.

4 Summary

4.1 Comparison of Two Generations of "White Elephant"

We compared some elements of "White Elephant Generation 1" and "White Elephant Generation 2" in tabular form, showing the development of attack capabilities related to relevant countries’ backgrounds:

White Elephant Generation 1	White Elephant Generation 2
Main Threat Targets	Large areas in Pakistan and some targets in China (e.g., universities)	Large areas in Pakistan and China, including education, military, scientific research, media, and various targets
Initial Attack Methods	Spear phishing emails with direct attachments	Spear phishing emails sending links to documents with format vulnerabilities
Types of Stolen Files	*.doc *.docx *.xls *.ppt *.pps *.pptx *.xlsx *.pdf	*.doc *.docx *.xls *.ppt *.pptx *.xlsx *.pdf *.csv *.pst *.jpeg
Social Engineering Techniques	PE double extensions, opening embedded pictures, pictures faked as military intelligence, court judgments, relatively rough	Faked military and political information, more sophisticated
Use of Vulnerabilities	None observed	CVE-2014-4114, CVE-2012-0158, CVE-2015-1761
Binary Payload Development Environment	VC, VB, DEV C++, AutoIt	Visual C#, AutoIt
Binary Payload Packing	Few using UPX	None
Digital Signature Theft/Forgery	None observed	None
Estimated Size of Attack Group	10~16 people with varying skill levels	Small team with higher attack capabilities
Threat Consequences Assessment	Caused some threat consequences	Possibly severe consequences

4.2 Great Powers’ Cyber Defense Capability Will Ultimately Be Tested by Attackers and Spies

Over recent years, China’s information systems and users have faced continuous testing from multiple parties’ cyber intrusions. These attacks use various advanced (and some seemingly not so advanced) techniques to obtain confidential information, research achievements, and other secrets. Attack organizations persist in critical infrastructure and key information systems with the aim of espionage and gaining more initiative. The potential harm and scope far exceed website defacement or traditional DDoS attacks. These attacks show different methods and characteristics according to the attacker’s strategic intentions, capabilities, and focus. While Chinese users worry about “god’s eye view” attacks, analysis of "White Elephant" shows that cyberattacks from geopolitical competitors are also a major risk and challenge for China’s informatization. Although often crude, these attacks are more frequent and direct, and hard to eradicate.

For attacks like "White Elephant," due to lack of connections and electromagnetic cover, they rely more on internet entry points like email. From a panoramic defense perspective, this is a controllable entry point. However, for a society with inadequate basic sensing, detection, and defense capabilities, such targeted remote attacks are highly effective and easily lost amid many other non-targeted security incidents.

A great power’s defense, guided by design, industry-based, and complemented by investment, will ultimately be tested in real confrontations with attackers and spies.

4.3 APT Defense Requires Joint Improvement of Basic Informatization Links and Security Capabilities

From the "White Elephant" attacks, we first see China’s shortcomings in informatization development. Among the targeted emails deployed by "White Elephant Generation 2," a large proportion are free personal mailboxes. Previous internal reports from Antian already pointed out that nearly half of domestic institutional users use free personal mailboxes as contact emails, and the security of these free mailboxes is highly concerning. Twenty years after the launch of China’s information superhighway, there is still no effective secure email service coverage for official institutions and government personnel. The lack of enterprise and institutional-level informatization infrastructure, including insufficient security investment from ISPs, leads to highly dispersed attack points, lowering attack thresholds and increasing defense difficulty.

We also see that many basic information security links and product capabilities are still inadequate. "White Elephant Generation 1" was classified by Antian as a lightweight APT attack, using PE evasion and limited social engineering but still successfully penetrating Chinese higher education institutions. Although "White Elephant Generation 2" has significantly improved methods, it shows no sign of 0day exploit stockpile. The three vulnerabilities it used were patched by Microsoft before its use, and two were not even obfuscated for evasion. The success of such attacks highlights insufficient patching, system hardening, and basic security practices, and inadequate product capabilities.

These attacks also show that traditional traffic intrusion detection based on single-packet detection and boundary security mechanisms with real-time detection need effective supplementation and extension. Important systems must establish effective retention and asynchronous deep inspection mechanisms at the traffic reconstruction level to detect payload delivery. The combination of traffic reconstruction and sandboxing will become standard for important systems. Sandbox is not just a simple behavioral analysis supplement but increases the attacker’s cost to predict defense capabilities and methods. Simple localization of open-source sandbox tools without improving capabilities equals giving up sandbox’s critical "anti-evasion" security feature. Sandbox is not merely an extension of antivirus engine detection; its core value lies in effective vulnerability triggering and behavior exposure, which requires long-term security accumulation transformed into engineering capability. Its single-object input and multi-vector output characteristics require effective interaction among network managers and vendor support teams to realize its value.

Regardless of form—PC, server, or cloud—the endpoint is the fundamental data carrier and the ultimate battlefield for security. Network-side security capabilities must connect with endpoints to form a defense-in-depth system. Domestic operating systems also require security measures and mechanisms for protection. Any expectation to repel threats solely at the network boundary or through physical isolation, or any "one-shot" solution promises, are mere psychological comforts.

4.4 Anti-APT Is a Comprehensive Systemic Contest

Countering APT attacks requires opposing attackers’ comprehensive investment in personnel, organizations, equipment, and engineering systems. It is inevitably a cost competition. Today’s abnormal market behavior of security procurement below cost ultimately damages the overall cyber security capabilities of great powers.

Countering APT also means facing attackers’ firm and persistent attack will, placing higher demands on security analysis teams. From the perspective of security vendors, it is a continuous confrontation supported by perception and analysis engineering systems. We must keep tracking attackers’ techniques, intentions, and paths, turning these experiences into defensive improvements and product updates for users. Security analysis teams must have both the courage to expose adversaries and the steady will to defend over long periods, often unnoticed.

Furthermore, regrettably, the "White Elephant" group, a very active APT actor, has seemed to remain outside the scope of most major international security vendors for years. Therefore, like many previous reports by Antian, this report will be published in both Chinese and English. Although we don’t know how many overseas readers there will be, we hope to inform the world of the real situation of cyberattacks faced by China. The fact that "China is a victim of cybersecurity attacks" will inevitably overcome certain stereotypes fabricated by some.