Chinese Actor SecShow Conducts Massive DNS Probing on Global Scale

Cybersecurity researchers have shed more light on a Chinese actor codenamed SecShow that has been observed conducting Domain Name System (DNS) on a global scale since at least June 2023.

The adversary, according to Infoblox security researchers Dr. Renée Burton and Dave Mitchell, operates from the China Education and Research Network (CERNET), a project funded by the Chinese government.

“These probes seek to find and measure DNS responses at open resolvers,” they said in a report published last week. “The end goal of the SecShow operations is unknown, but the information that is gathered can be used for malicious activities and is only for the benefit of the actor.”

That said, there is some evidence to suggest that it may have been linked to some kind of academic research related to “performing measurements using IP Address Spoofing Techniques on domains within secshow.net” modeled on the same approach as the Closed Resolver Project.

This, however, raises more questions than it answers – including when it comes to the full scope of the project, the purpose behind gathering the data, the choice of a generic Gmail address to collect feedback, and the overall lack of transparency.

Open resolvers refer to DNS servers that are capable of accepting and resolving domain names recursively for any party on the internet, making them ripe for exploitation by bad actors to initiate distributed denial-of-service (DDoS) attacks such as a DNS amplification attack.

At the heart of the probes is the use of CERNET nameservers to identify open DNS resolvers and calculate DNS responses. This entails sending a DNS query from an as-yet-undetermined origin to an open resolver, causing the SecShow-controlled nameserver to return a random IP address.

In an interesting twist, these nameservers are configured to return a new random IP address each time when the query is made from a different open resolver, a behavior that triggers an amplification of queries by the Palo Alto Cortex Xpanse product.

“Cortex Xpanse treats the domain name in the DNS query as a URL and attempts to retrieve content from the random IP address for that domain name,” the researchers explained. “Firewalls, including Palo Alto and Check Point, as well as other security devices, perform URL filtering when they receive the request from Cortex Xpanse.”

This filtering step initiates a new DNS query for the domain that causes the nameserver to return a different random IP address, which, in turn, causes Cortex Xpanse to repeat the process again, effectively turning a single SecShow query into an endless cycle of queries across networks.

It’s important to note that some aspects of these scanning activities were previously disclosed by Dataplane.org and Unit 42 researchers over the past two months. The SecShow nameservers are no longer responsive as of mid-May 2024, although Burton said that they have observed the actor take up and down infrastructure.

“At this time, there is little to no known impact on any customer networks due to Xpanse working as intended, beyond a minimal increase in DNS resolution activity to determine whether the domain in question is malicious,” Palo Alto Networks told The Hacker News when reached for a comment.

“Xpanse has the capability to exclude specific domains and as new C2’s are identified, Xpanse no longer scans them. We will continue to carefully monitor and add to the block list relevant domains as identified by researchers.”

SecShow is the second China-linked threat actor after Muddling Meerkat to perform large-scale DNS probing activities on the internet.

“Muddling Meerkat queries are designed to mix into global DNS traffic and [have] remained unnoticed for over four years, while Secshow queries are transparent encodings of IP addresses and measurement information,” the researchers said.

Rebirth Botnet Offers DDoS Services

The development comes as a financially motivated threat actor has been found advertising a new botnet service called Rebirth to help facilitate DDoS attacks.

The DDoS-as-a-Service (DaaS) botnet is “based on the Mirai malware family, and the operators advertise its services through Telegram and an online store (rebirthltd.mysellix[.]io),” the Sysdig Threat Research Team said in a recent analysis.

The cybersecurity firm said Rebirth (aka Vulcan) is primarily focused on the video gaming community, renting out the botnet to other actors at various price points to target game servers for financial gain. The earliest evidence of the botnet’s use in the wild dates to 2019.

The cheapest plan, dubbed Rebirth Basic, costs $15, whereas the Premium, Advanced, and Diamond tiers cost $47, $55, and $73 respectively. There is also a Rebirth API ACCESS plan that’s sold for $53.

The Rebirth malware supports functionality to launch DDoS attacks over TCP and UDP protocols, such as TCP ACK flood, TCP SYN flood, and UDP flood.

This is not the first time game servers have been targeted by DDoS botnets. In December 2022, Microsoft disclosed details of another botnet named MCCrash that’s designed to target private Minecraft servers.

Then in May 2023, Akamai detailed a DDoS-for-hire botnet known as Dark Frost that has been observed launching DDoS attacks on gaming companies, game server hosting providers, online streamers, and even other gaming community members.

“With a botnet such as Rebirth, an individual is able to DDoS the game server or other players in a live game, either causing games to glitch and slow down or other players’ connections to lag or crash,” Sysdig said.

“This may be financially motivated for users of streaming services such as Twitch, whose business model relies on a streaming player gaining followers; this essentially provides a form of income through the monetization of a broken game.”

The California-based company postulated that prospective customers of Rebirth could also be using it to carry out DDoS trolling (aka stresser trolling), wherein attacks are launched against gaming servers to disrupt the experience for legitimate players.

Attack chains distributing the malware involve the exploitation of known security flaws (e.g., CVE-2023-25717) to deploy a bash script that takes care of downloading and executing the DDoS botnet malware depending on the processor architecture.

The Telegram channel associated with Rebirth has since been erased to remove all old posts, with a message posted on May 30, 2024, saying “Soon we back [sic].” Nearly three hours later, they advertised a bulletproof hosting service called “bulletproof-hosting[.]xyz.”

(The story was updated after publication to include responses from Infoblox and Palo Alto Networks.)

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.