Day: January 7, 2025

US adds Chinese multinational technology and entertainment conglomerate Tencent to the list of companies supporting the Chinese military.

The US Department of Defense has added Chinese multinational technology and entertainment conglomerate Tencent to its “Chinese military company” list under the Section 1260 requirement.

The US government does not explain the decision.

The list includes the companies that support the People’s Liberation Army (PLA) on technology development. Unlike the Entity List for Malicious Cyber Activities, managed by the Commerce Department’s Bureau of Industry and Security (BIS), the Section 1260 list does not impose any ban or sanction on the tech giant. However, it serves as a warning for organizations to scrutinize potential collaborations with Tencent.

The organizations in the “Section 1260 list” support the “Military-Civil Fusion strategy” of the Chinese government.

The Chinese “Military-Civil Fusion” (MCF) strategy is a national policy aimed at erasing the traditional barriers between China’s civilian and military sectors to foster technological and industrial development for the benefit of both. It is a core element of China’s broader efforts to modernize its military, the People’s Liberation Army (PLA), and strengthen its national defense capabilities.

Tencent stated that its inclusion on the updated list must be an error and plans to appeal.

Tencent’s inclusion on the U.S. Department of Defense’s list of companies potentially aiding China’s military highlights concerns over its technologies’ dual-use potential. Key points include:

• Military-Civil Fusion: Tencent’s technologies could contribute to dual-use innovations, supporting both civilian and military applications, while strengthening cybersecurity for military networks.
• WeChat’s Ubiquity: With over a billion users, WeChat integrates messaging, payments, and social networking. The platform could support military communication, strategic message dissemination, public sentiment monitoring, and intelligence gathering.
• Cloud Services: Tencent Cloud may enable data storage, processing, and secure collaboration via enterprise tools like VooV, aiding military operations.
• Gaming Technologies: Tencent’s expertise in VR, AR, and AI could be applied to military training simulations, strategic analytics, and decision-making enhancements.

The US government also added the Chinese battery maker CATL to the list, however the company labeled the addition a mistake and said it “is not engaged in any military related activities.”

“We are not a military company or supplier. Unlike sanctions or export controls, this listing has no impact on our business,” a spokesperson for the company told the BBC.

“The US’s practices violate the market competition principles and international economic and trade rules that it has always advocated, and undermine the confidence of foreign companies in investing and operating in the United States,” said Liu Pengyu, a spokesperson for the Chinese embassy in Washington.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Chinese military)

BEIJING — A strong earthquake killed at least 95 people in Tibet on Tuesday and left many others trapped as dozens of aftershocks shook the high-altitude region of western China and across the border in Nepal.

[time-brightcove not-tgx=”true”]

Officials in the region said at a brief news conference that 130 others were injured, state broadcaster CCTV said.

Video on CCTV showed orange-suited rescue workers climbing piles of debris blocking homes in a heavily damaged village, while chunks that had been knocked off buildings littered streets and crushed cars in other areas.

State media reported that about 1,000 houses were damaged and 130 people were injured in addition to the deaths, citing the Tibet earthquake relief headquarters.

The U.S. Geological Survey said the earthquake measured magnitude 7.1 and was relatively shallow at a depth of about 10 kilometers (6 miles). China recorded the magnitude as 6.8.

The epicenter was about 75 kilometers (50 miles) northeast of Mount Everest, which straddles the China-Nepal border. The area is seismically active and is where the India and Eurasia plates clash and cause uplifts in the Himalayan mountains strong enough to change the heights of some of the world’s tallest peaks.

About 50 aftershocks were recorded in the three hours after the earthquake, and the Mount Everest scenic area on the Chinese side was closed after the quake.

About 1,500 fire and rescue workers were deployed to search for people, the Ministry of Emergency Management. Two hundred soldiers joined the search, CCTV said.

Chinese leader Xi Jinping. called for all-out efforts to rescue people, minimize casualties and resettle those whose homes were damaged. Vice Premier Zhang Guoqing, was dispatched to the area to guide the work.

CCTV said there are a handful of communities within 5 kilometers (3 miles) of the epicenter, which was 380 kilometers (240 miles) from Lhasa, the capital of Tibet, and about 23 kilometers (14 miles) from the region’s second-largest city of Shigatse, known as Xigaze in Chinese.

The average altitude in the area around the epicenter is about 4,200 meters (13,800 feet), the China Earthquake Networks Center said in a social media post.

In Nepal, authorities asked officials in the mountainous area near the epicenter to search for any casualties or damage.

The National Emergency Operation Center in Kathmandu said people in northeastern Nepal strongly felt the earthquake but there were no immediate reports of injuries or damage to houses.

A police officer in Solukhumbu district, where Mount Everest is located, said by telephone that there were no reports of damage. The area, often crowded with climbers and hikers, was empty in the depth of winter. Many residents move to the south to avoid the harsh winter.

About 230 kilometers (140 miles) from the epicenter in Nepal’s capital, Kathmandu, the earthquake woke up residents and sent them running out of their homes into the streets.

There have been 10 earthquakes of at least magnitude 6 in the area where Tuesday’s quake hit over the past century, the USGS said.

—Associated Press writer Binaj Gurubacharya in Kathmandu, Nepal, and researcher Yu Bing in Beijing contributed to this report.

Experts spotted new variants of the Eagerbee backdoor being used in attacks on government organizations and ISPs in the Middle East.

Kaspersky researchers reported that new variants of the Eagerbee backdoor being used in attacks against Internet Service Providers (ISPs) and government entities in the Middle East.

The Kaspersky’s analysis revealed new attack components, including a service injector for backdoor deployment and plugins for payload delivery, file/system access, and remote control.

The initial access method is still unknown, but threat actors deployed a backdoor injector, tsvipsrv.dll, and payload ntusers0.dat via the SessionEnv service.

The service injector targets the Themes service, injecting the EAGERBEE backdoor into its memory along with the stub code to decompress the malware. It decompresses and executes the backdoor via a stub, then cleans up by restoring the original handler.

The backdoor, named dllloader1x64.dll, gathers system information, including NetBIOS name, OS details, processor architecture, and IP addresses. It uses a mutex (mstoolFtip32W) to ensure a single instance and includes a time check to plan the execution within a specified weekly schedule. However, it’s configured to run 24/7 in observed cases, checking every 15 seconds if outside the allowed execution window.

The configuration of the malware is stored in a file or hardcoded in the backdoor binary, it includes C2 server details decoded using XOR. The malicious code retrieves proxy settings from the registry, connects via proxy or directly to the C2 server, and supports SSL/TLS if configured. After establishing a TCP connection, it sends system data to the C2, which responds with the Plugin Orchestrator. The backdoor verifies the response and executes the payload without mapping it into memory.

The orchestrator injects itself, gathers additional data (domain name, memory usage, locale, time zone, process details, and plugin IDs), and reports to the C2 server. It also checks for elevated privileges and collects details on all running processes, including process IDs, thread counts, parent processes, and executable paths.

The backdoor uses plugins in the form of DLL files and export three methods using ordinals. The plugin orchestrator starts by invoking the exported method of the plugin with the ordinal number 3.

The method injects the plugin DLL into memory, initializes it via the DllMain method (ordinal 1), and then executes its functionality using the method at ordinal 2.

The orchestrator can send commands to execute to the plugins, the researchers analyzed five plugins used by the backdoor:

1. File Manager Plugin: Handles file system operations and can modify file permissions, inject additional payloads into memory, and execute command lines.
2. Process Manager Plugin: Manages system processes and can execute command lines or modules in the security context of specific user accounts.
3. Remote Access Manager Plugin: Facilitates remote access by enabling RDP sessions, it can also inject command shells into legitimate processes for stealth.
4. Service Manager Plugin: Controls system services.
5. Network Manager Plugin: Monitors and lists active network connections.

“EAGERBEE was deployed in several organizations in East Asia. Two of these organizations were breached via the infamous ProxyLogon vulnerability (CVE-2021-26855) in Exchange servers, after which malicious webshells were uploaded and utilized to execute commands on the breached servers.” concludes the report. “Because of the consistent creation of services on the same day via the same webshell to execute the EAGERBEE backdoor and the CoughingDown Core Module, and the C2 domain overlap between the EAGERBEE backdoor and the CoughingDown Core Module, we assess with medium confidence that the EAGERBEE backdoor is related to the CoughingDown threat group.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Eagerbee backdoor)