half year report of internet black ash production tool software 2018

Posted by punzalan at 2020-02-26

The copyright of this report belongs to threat Hunter (Shenzhen Yong'an Online Technology Co., Ltd.) and is protected by law. If you reprint, excerpt or use the text or opinions of this report in other ways, you should indicate "source: threat Hunter (Shenzhen Yong'an Online Technology Co., Ltd."). Those who violate the above statements will be prosecuted for their relevant legal liabilities.

1、 Analysis on the software characteristics of black ash production tools

1.1 deep integration with industrial chain

1.2 very strong version fast iteration ability

1.3 significant profit seeking trend

1.4 wandering in the gray area on the edge of law

1.5 black eating is very common

2、 Evolving methods and means

2.1 from simulation script to multiple development languages

2.2 support from PC end to multi end

2.3 from terminal to cloud

2.4 from mechanical execution to machine learning

3、 Active black ash production tools in business security

3.1 account tool software

3.2 software tools and software for brush metering and single brush

3.3 tools software for collecting wool

3.4 content crawling tool software

3.5 specific functional tool software

4、 Analysis of typical tool software for black ash production

4.1 mobile registration machine of station B 3.0

4.2 tools for robbing red envelopes

4.3 58 full time VIP posting software

Five, summary

Introduction: the wannacry blackmail virus that broke out in May 2017 has caused a serious impact, making the NSA weapon base into the public's vision; in the invisible battlefield of network security, in another corner of the battlefield - the Internet business security field, the black ash practitioners also hold powerful weapon bases: a variety of tools and software, and not for people Well-known. If mobile phone number, account number, IP, equipment, etc. are the ammunition of black industry practitioners, then the tool software is the weapon to maximize the power of these ammunition. The analysis and research of tool software is an important part of black production research.


Analysis on the characteristics of black ash tool software

We have systematically combed and analyzed the black ash production tool software captured in the past half year, and found that at present, the black ash production tool software has some obvious features as follows. A deep understanding of these features will help us to have a more accurate control and judgment of the development of the black ash industry.

One point one

One point two

One point three

One point four

One point five


Evolving methods and means

According to the statistics of th karma business intelligence monitoring platform of threat hunter, more than 1000 kinds of black and gray production tools and software, including software updates, are newly generated on the Internet every day. With the development of Internet technology and it technology, these tools and software are also developing and evolving.

Two point one

Two point two

With the rapid development of mobile Internet in recent years, it has shaped a new service experience and life style. The products, services and users of the Internet have also migrated from the PC side to the mobile side. For the employees of black and gray industry, the tools and software they use have developed from PC to mobile. From the current hottest short video industry, we have captured a large number of black and gray production tools and software in the past few months, and the number of mobile terminals has far exceeded that of PC terminals, as shown in the following figure:

Compared with the PC tool software, the mobile tool software can achieve lower confrontation cost through plug-in. After our analysis, there are a large number of black ash production tools based on the Android version of key Genie and the Android version of e-android in the captured short video industry, covering the core business scenarios of black ash production such as registration, brush volume and drainage, as shown in the following figure:

Figure 1

Two point three

Figure 2

Two point four

Figure 3.1

Figure 3.2


Active black ash production tools in business security

According to the information analysis of the tool software of black ash production captured by us, the currently active tool software can be roughly divided into five categories according to business functions: account type, brush volume type, fleece collection type, content crawling type and specific function type. The number of tools of each type is as shown in the figure below:

Figure 3-1 proportion of tool function types

In the business security confrontation, the brush volume and brush order are the most commonly used attack tools for black ash production, and also the most active ones, such as the number of articles read, videos played, fans and orders. Such attacks are mainly reflected in the self media industry, electricity business and video industry. In addition, account type, fleece type and content crawling type tools are also active in the business security confrontation between black ash producers and manufacturers. Special function tools mainly include simulator, multi switch, machine change and second dial.

Three point one

Fig. 3-1-1 number scanning software for registration of Buffalo

Nowadays, the development of the black and gray industry chain with account as the core has a certain scale in various industries, especially in the business scenarios where large-scale account brushing is required, including false registration, real name face crossing, batch number maintenance and brushing, etc. In addition to the obvious damage to the manufacturer's business, the false small size brings potential harm. For example, the spread of pornography, as well as being used in the scene of diversion fraud, has brought bad public opinion effects to manufacturers. The following table shows some of the more active account tool software that we have monitored recently:

Table 3-1-1 active account tools

Three point two

Figure 3-2-1 long time Kwai brush broadcast

The following table shows some of the more active brush metering and single tool software that we have recently monitored:

Table 3-2-1 active brushing tools

Three point three

Figure 3-2-2 Wally grabs red envelopes

The following table shows some of the more active tools we have monitored recently:

Table 3-2-3 active tools for collecting wool

Three point four

Content crawling tool software mainly collects e-commerce data, short video user works, recruitment website resumes and self-Media articles through crawler program. Recently, we found that there are many tools and software to crawl the data of pinduoduo, such as product information, store information, and group information. Taking "pinduoduo Wizard" as an example, the tool software crawls pinduoduo data by requesting the interface under, providing functions such as group opening reminder, keyword ranking, category ranking, export order, logistics monitoring, refund reminder, competitor monitoring, etc

Figure 3-2-3 screenshot 1 of pinduoduo spirit

Figure 3-2-4 screenshot 2 of pinduoduo spirit

The profit-making methods of content crawling tool software include:

Using the collected pinduoduo data, provide data analysis services and store management services to make profits, including keyword ranking, commodity ranking, group opening monitoring, one key order, one key delivery and multiple store management, etc;

When stores use these tools, it is likely to lead to the leakage of order data. Black ash production can make profits by selling the data or using the data for marketing and fraud.

The following table is the more active content crawling tool software that we have monitored recently:

Table 3-2-4 content crawling tool software

Three point five

Fig. 3-5-1 Fig. 3-5-2

Although the specific function tool software does not participate in the direct profit-making, the function provided can help the black ash industry to better grab the benefits. For example, the machine change tool, in addition to the above mentioned drainage scenario, is also very important in the account registration scenario, which can achieve the effect of multiple reuse of a device. The following table is the more active specific functional tool software that we have recently monitored:

Table 3-5 active specific functional tools


Analysis of typical tool software for black ash production

In the past half year, we have done a lot of research and Analysis on the tool software of black ash production, including in-depth functional verification, dynamic debugging and principle analysis for some of them. We select several typical software tools to further expose their functions and principles.

Four point one

Figure 4-1-1 operation interface of mobile phone registration machine in station B

The program will log in to the access platform:

Receive the SMS verification code, and then call the registration interface of station B:

And verification code issuing interface:

Extract the verification code as follows:

The tool then uses the built-in deep learning framework Caffe to identify the captcha.

The process of identifying the verification code will read the three files required by the Caffe framework of the local built-in deep learning framework:


The code of deploy.prototype is as follows:

Figure 4-1-2 screenshot of deploy.prototype code

After the image verification code is recognized successfully, the account registration is completed.

The highlight of this tool is that it uses the image recognition ability of deep learning, and the accuracy of this image recognition is over 99%. The average time to complete an account registration is about 10 seconds. In the past, most of such registration tools will be connected to a coding platform or built-in a verification code identification library for the target website, which is much lower in recognition accuracy or registration efficiency than in-depth learning image recognition.

Figure 4-1-3 deep learning applied to verification code identification

Four point two

This is a red packet robbing tool software for Momo captured in July, which is based on the Android version of key sprite. Through the customized recording of the operation of the mobile screen and the number of repetitions and other information, the simulation operation of the mobile phone is carried out according to a certain mode, so as to achieve the function of robbing the red packet. The operation of the tool is shown in the following figure:

Figure 4-2-1 operation interface of the tool

The black and gray production personnel only need to write the relevant logic script on the Android version of the key wizard to simulate the user's operation to achieve the functions they want. The operation interface of the Android version of the key wizard is as follows:

Figure 4-2-2 Android operation interface of key Wizard

After you click record, you can manually operate the function you want to operate once, and then the software will record the coordinate track of user operation, as shown in the following figure:

Figure 4-2-3 Android operation interface of key Wizard

During the analysis, we found that the red packet grabbing tool has built-in resources needed by the tool, including identifying the images when red packets appear, as shown in the following figure:

Figure 4-2-4 the built-in picture resources of the tool

The software runs in the background, by finding the coordinates of the whole mobile screen to meet the above screenshot image, and then simulate the user to click on the operation, so as to achieve the purpose of robbing red packets.

Four point three

Figure 4-3-1 operation interface of 58 full time VIP posting software

There will be many settings related to posting on the interface. These settings are extracted by the black and gray production personnel after analyzing the 58 posting interface. Some variable values that the user needs to operate (including some parameters required by the posting interface such as province, city, street, post title, post position, etc.). The following is the interface information captured by the VIP user's recruitment post:

Figure 4-3-2 captured interface information

The following is the content of the interface that requires post (since the data is encoded in URLEncode mode, the plaintext data before encoding is displayed for easy reading):

Figure 4-3-3 data content of post (before coding)

We can see that most of the above content is the information filled in by users. As long as the same formal data is constructed according to the interface format of posting, the post can be successfully issued.

We can see from the relevant parameters required by this interface that there are a lot of parameters required for the 58vip posting interface, which requires the black ash production personnel to have a strong ability to analyze the protocol interface, which parameters are necessary, which parameters are optional, which parameters must be detected by the risk control system, and whether the parameter values are encrypted. If it is encrypted, the black and gray production personnel need to crack the encryption algorithm, and then calculate the new parameter value to bypass the detection of the risk control system. In addition to the above posting interface, the form of other interface calls is similar to the above.


Concluding remarks

The tool software of black ash production is the inevitable product of the development of the network black ash industry. The black ash industry will develop with the development of the Internet, and its tool software will also develop with the development of the black ash industry. Based on this, we put forward the following views, hoping to cause resonance in the industry, and discuss and think with you.

From the perspective of black production, build a comprehensive monitoring and rapid response capability of black ash production tool software. Through the long-term follow-up of the black ash industry, we have a deeper understanding and cognition of the transmission chain and path of the black ash production tools. We can capture the active black ash production tools in the network at the first time, and analyze their hazards and principles at the first time. We hope to help more manufacturers to build this capability through cooperation.

Establish fingerprint database of black and gray production tools software to enhance the identification ability of risk equipment. The traditional fingerprint scheme of equipment is not ideal because of fierce confrontation; on the other hand, risk equipment often install a variety of black ash production tool software, which can effectively identify risk equipment by extracting the characteristics of these black ash production tool software as fingerprint.

Establish the information sharing of the industry's black gray tool software to maximize the value of information. According to our observation, the author, communication channel, and user of the tool software intersect. Taking e-commerce flash buying as an example, when we follow up on the flash buying tool for Taobao, we find that many users of the tool will also use the flash buying tools of JD, Suning, vipshop, Huawei and other shopping malls at the same time, so as to maximize the benefits. That is to say, the fingerprint database of black ash production tool software mentioned in our second point can be shared by the industry, and we have been committed to solving the problem of "data island" of black ash production information, including tool software information.

Write at the end:

If the production of black ash represents the night, then we can have a bright future only if we continue to explore and move forward in the night.

Click "read original" below to download the original report A kind of  

Extraction code: w7nv

Article recommendation


Threat Hunter | Research Report on black ash production of short video industry in the first half of 2018


Threat Hunter | report on the compliance status of domestic public cloud assets in the first half of 2018


Threat Hunter | change machine tool application in black ash production


Threat Hunter: 2017 China Internet black production report


Threat hunters join hands with freebuf to release the report of "short video black gray industry"