Anhey Menagerie

The Anhey/Cuteqq Exploit Kit began in 2007 and became popular in China in 2008.  The 2010, the kits was associated the DNF666 Mass SQL Injections.  No new releases have been identify since mid-2010 and the Cuteqq.cn and Anhey.com Web sites associated with the kit are no longer active.

Val Smith, Anthony Lai and Colin Ames’ white paper “Balancing the Pwn Trade Deficit” , and Armorize Technologies’ blog post, “Solving the puzzle: mass SQL injection+0day flash drive-by download attacks robint.us and 2677.in” provide thorough descriptions of the Anhey/Cuteqq Exploit Kit. The two sources use the following screen captures of the Anhey Exploit Kit and Cuteqq.cn web site in their reports:

anhey2010Pro5cuteqqcn

There are handful of Anhey kits, however, that were not covered by the reports or listed on the Cuteqq.cn screen capture shown above.  Since I have collected a small menagerie of these kits, I thought that I would share it here in hopes that others might find it interesting or useful. This is not an exhaustive collection of Anhey Exploit Kits – it is only what I could hobble together by scratching and pecking at hacker sites.  Please forgive the obvious omissions in my descriptions of the screen captures.  I do not know Chinese.

My collection begins in 2007 with Cuteqq.cn products released before the Anhey Exploit Kit was established. One image references Cuteqq.cn and features the name “Game Idea” over an X-box game controller with a superimposed image of a spider.  The name of the application, however, was “终极网马生成器6 Beta 1″, or “Ultimate Network Trojan Code Generator 6 Beta 1″.  The original image file included the date string 20070624. The second image shows the Ultimate Network Trojan Code Generator 6 Beta 3.   This image had a file date of 20070703.  Searches for 终极网马生成器6 indicate there is Beta 4 versions as well.

20070624121030544 20070703113924310

A download of the Ultimate Network Trojan Code Generator 6 Beta 6 SP 2 had a modification date of 20070731 and included references to the Cuteqq.cn site.  The properties for the executable listed the Foreign Land Team (FLT) as the company producing the software.  Some of the variable and function names in the code generated by this kit include CUTEQQ, CUTEQQCN, CUTEQQVIP, WWWCUTEQQCN, and QQ784378237 – all hallmarks of Anhey-generated code.  A person using the name Chilam may have been one of the contributors of to the code.

cuteqq-Ult6bSp2 cuteqq-Ult6bSp2Properties

The next Cuteqq.cn kit I encountered had a date string of 20070913 in the file name.  The faint watermarks behind the graphically displayed product name look similar to the watermarks in 20070731 Ultimate Network Trojan kit.  The name, however changed to “暗黑網馬” which translates to ”Diablo Network Trojan”.  The characters are pronounced “Ànhēi wǎng mǎ”.   The authors of the code frequently write the name as ANHEY WANGMA, ANHEY  or AH.

The Anhey name changed again in a kit released in January 2008.  The graphic display featured a caricatures of the Devil to the left of the new names “暗黑工作組” and “黑客X档案”.  The first name translated to “Diablo Working Group” and the second name translated to “Hacker X Files”.  A 20080116 Chinese-language post by a blogger named LZHacker explains that the new exploit kit was the result of collaboration between the Hacker X Files Group at  bbs.hackerxfiles.net and the Diablo Working Group at www.cuteqq.cn.  The machine translation and original text of the post are available here.

20070913150758242 20086271011392529

Another noteworthy feature of the January 2008 Anhey Exploit Kit are the English words “The more you learn, the more you know, The more you know, the more you forget The more you forget, the less you know. So why bother to learn.”  The authors appear to have a good command of English in addition to Chinese.

By 20080601 Version 2 of the Anhey Exploit Kit was available.  This version retained the overall appearance of the 20080101 kit expect the references to the Hacker X-Files Group was removed and the graphics were displayed against a more textured orange background.  The textured background can probably be attributed to the use of the Skin++ graphics library (SkinPPWLT.dll) included with all of the recent editions of the Anhey Exploit Kit.  In addition to the Version 2 release, the group release a Version 2.74 and Version 2.76 most likely between June and October of 2008.

anhey_2 anhey2_74 anhey2_76

The XiaoLin Security Team described the Diablo (Anhey) Network Trojan VIP 2008 Standard Version 3.0 in an article dated 20080430.  The article read like a product brochure, included a pricing schedule and explained the benefits of a premium subscription.  At the time, the official version of the kit was the 2008 VIP 2.0.  The VIP 2008 Version 3 was released as a R&D beta.  The R&D release included exploits that were not included in previous editions or latter editions of the kit.  Taken together, the exploits offered in this special release seem to match the exploits used in the 2008 SQL Injections attacks that resulted in the United Nations service malware.  The style of the user interface in the R&D release shown below would not become the product’s standard interface until late 2009.

042901

The appearance of the kits change again with the new Anhey/Cuteqq Diablo Exploit Kit Version 1.0.  The caricature of the Devil was replaced with a blue and silver globe and the fiery orange background was replaced by blue and pink pastels.  The name Diablo Working Group, however, remained unchanged.  The name of the executable file was EvilCute.exe.  The string EVILCUTE is also frequently found in the code generated by Anhey kits.  A 2009 version 1.1 was created on 20090410 and a 2009 version 2.4 was created on 20090926.  Finally, a 2009 version 4.0 was created on 20091030.  The executable file for the version 4 kit was named AH2009.exe.  Visually, this version had more in common with the 2008 R&D Beta than with the previous three 2009 kits.

Anhey2008v1 Anhey2009v1_1

anhey2009v2_4anhey2009v4

The final Anhey kits were released sometime in mid-2010 and were described in detail in Val Smith’s white paper.  The appearance of the kit changed once again but was still enabled by Skin++.  Interestingly, the references to Cuteqq.cn were changed to Anhey.com.  The IP address and domain registration information for Anhey.com was the same as the IP address and domain registration information for Cuteqq.cn.  Both domains are no longer active.

anhey2010ProE5In conclusion, the Anhey or Diablo Network Trojan Exploit Kit appeared to have evolved from the Cuteqq.cn Ultimate Network Trojan Code Generator 6 during the second half of 2007.  One of the original contributors may have used the name CHILAM.  One of these early kits referenced a company called the Foreign Land Team (F.L.T.).  The first actual Anhey kit was released in January of 2008.  It was created and promoted as a joint effort between the Anhey Working Group and the well-known Hacker X-Files Group, as described by an individual called LZHacker.  By mid-2008, the appearance of the product user interface was enhanced by through the use a third party application called Skin++.  All subsequent released included Skin++ (SkinPPWLT.dll).  In 2010, the domain name Cuteqq.cn was swapped for Anhey.com.  The last known release of an Anhey Exploit Kit was in June of 2010.  The kits are still available for download on Chinese language hacker sites and often offered in conjunction with tutorial and training courses.

My collection of Anhey Exploit Kit screen captures is available here for download.

References:

Balancing the Pwn Trade Deficit

Solving the puzzle: mass SQL injection+0day flash drive-by download attacks robint.us and 2677.in

XiaoLin Security Team 2008-4-30

The United Nations Serving Malware

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>