search

kbandla / APTnotes

Various public documents, whitepapers and articles about APT campaigns
3.48k stars 880 forks source link

Threat Group-3390 / Emissary Panda #178

Closed chrisddom closed 8 years ago

chrisddom commented 9 years ago

http://www.secureworks.com/cyber-threat-intelligence/threats/threat-group-3390-targets-organizations-for-cyberespionage/

Also related is p19/20 of http://www.crowdstrike.com/wp-content/uploads/cs_downloads/CrowdStrike_2013_Global_Threat_Intel_Report.pdf

Indicators- INDICATOR TYPE CONTEXT american[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High api[.]apigmail[.]com Domain name TG-3390 infrastructure Confidence: High apigmail[.]com Domain name TG-3390 infrastructure Confidence: High backup[.]darkhero[.]org Domain name TG-3390 infrastructure Confidence: High bel[.]updatawindows[.]com Domain name TG-3390 infrastructure Confidence: High binary[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High castle[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High ctcb[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High darkhero[.]org Domain name TG-3390 infrastructure Confidence: High dav[.]local-test[.]com Domain name TG-3390 infrastructure Confidence: High test[.]local-test[.]com Domain name TG-3390 infrastructure Confidence: High dev[.]local-test[.]com Domain name TG-3390 infrastructure Confidence: High ocean[.]local-test[.]com Domain name TG-3390 infrastructure Confidence: High ga[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High helpdesk[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High helpdesk[.]csc-na[.]com Domain name TG-3390 infrastructure Confidence: High helpdesk[.]hotmail-onlines[.]com Domain name TG-3390 infrastructure Confidence: High helpdesk[.]lnip[.]org Domain name TG-3390 infrastructure Confidence: High hotmail-onlines[.]com Domain name TG-3390 infrastructure Confidence: High jobs[.]hotmail-onlines[.]com Domain name TG-3390 infrastructure Confidence: High justufogame[.]com Domain name TG-3390 infrastructure Confidence: High lnip[.]org Domain name TG-3390 infrastructure Confidence: High local-test[.]com Domain name TG-3390 infrastructure Confidence: High login[.]hansoftupdate[.]com Domain name TG-3390 infrastructure Confidence: High long[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High longlong[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High longshadow[.]dyndns[.]org Domain name TG-3390 infrastructure Confidence: High longshadow[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High longykcai[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High lostself[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High mac[.]navydocument[.]com Domain name TG-3390 infrastructure Confidence: High mail[.]csc-na[.]com Domain name TG-3390 infrastructure Confidence: High mantech[.]updatawindows[.]com Domain name TG-3390 infrastructure Confidence: High micr0soft[.]org Domain name TG-3390 infrastructure Confidence: High microsoft-outlook[.]org Domain name TG-3390 infrastructure Confidence: High mtc[.]navydocument[.]com Domain name TG-3390 infrastructure Confidence: High navydocument[.]com Domain name TG-3390 infrastructure Confidence: High mtc[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High news[.]hotmail-onlines[.]com Domain name TG-3390 infrastructure Confidence: High oac[.]3322[.]org Domain name TG-3390 infrastructure Confidence: High ocean[.]apigmail[.]com Domain name TG-3390 infrastructure Confidence: High pchomeserver[.]com Domain name TG-3390 infrastructure Confidence: High registre[.]organiccrap[.]com Domain name TG-3390 infrastructure Confidence: High security[.]pomsys[.]org Domain name TG-3390 infrastructure Confidence: High services[.]darkhero[.]org Domain name TG-3390 infrastructure Confidence: High sgl[.]updatawindows[.]com Domain name TG-3390 infrastructure Confidence: High shadow[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High sonoco[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High test[.]logmastre[.]com Domain name TG-3390 infrastructure Confidence: High up[.]gtalklite[.]com Domain name TG-3390 infrastructure Confidence: High updatawindows[.]com Domain name TG-3390 infrastructure Confidence: High update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High update[.]deepsoftupdate[.]com Domain name TG-3390 infrastructure Confidence: High update[.]hancominc[.]com Domain name TG-3390 infrastructure Confidence: High update[.]micr0soft[.]org Domain name TG-3390 infrastructure Confidence: High update[.]pchomeserver[.]com Domain name TG-3390 infrastructure Confidence: High urs[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High wang[.]darkhero[.]org Domain name TG-3390 infrastructure Confidence: High webs[.]local-test[.]com Domain name TG-3390 infrastructure Confidence: High word[.]apigmail[.]com Domain name TG-3390 infrastructure Confidence: High wordpress[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High working[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High working[.]darkhero[.]org Domain name TG-3390 infrastructure Confidence: High working[.]hotmail-onlines[.]com Domain name TG-3390 infrastructure Confidence: High www[.]trendmicro-update[.]org Domain name TG-3390 infrastructure Confidence: High www[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High x[.]apigmail[.]com Domain name TG-3390 infrastructure Confidence: High ykcai[.]update-onlines[.]org Domain name TG-3390 infrastructure Confidence: High ykcailostself[.]dyndns-free[.]com Domain name TG-3390 infrastructure Confidence: High ykcainobody[.]dyndns[.]org Domain name TG-3390 infrastructure Confidence: High zj[.]blackcmd[.]com Domain name TG-3390 infrastructure Confidence: High laxness-lab[.]com Domain name TG-3390 infrastructure Confidence: High google-ana1ytics[.]com Domain name TG-3390 infrastructure Confidence: High www[.]google-ana1ytics[.]com Domain name TG-3390 infrastructure Confidence: High ftp[.]google-ana1ytics[.]com Domain name TG-3390 infrastructure Confidence: High hotmailcontact[.]net Domain name TG-3390 infrastructure Confidence: High 208[.]115[.]242[.]36 IP address TG-3390 infrastructure Confidence: High 208[.]115[.]242[.]37 IP address TG-3390 infrastructure Confidence: High 208[.]115[.]242[.]38 IP address TG-3390 infrastructure Confidence: High 66[.]63[.]178[.]142 IP address TG-3390 infrastructure Confidence: High 72[.]11[.]148[.]220 IP address TG-3390 infrastructure Confidence: High 72[.]11[.]141[.]133 IP address TG-3390 infrastructure Confidence: High 74[.]63[.]195[.]236 IP address TG-3390 infrastructure Confidence: High 74[.]63[.]195[.]236 IP address TG-3390 infrastructure Confidence: High 74[.]63[.]195[.]237 IP address TG-3390 infrastructure Confidence: High 74[.]63[.]195[.]238 IP address TG-3390 infrastructure Confidence: High 103[.]24[.]0[.]142 IP address TG-3390 infrastructure Confidence: High 103[.]24[.]1[.]54 IP address TG-3390 infrastructure Confidence: High 106[.]187[.]45[.]162 IP address TG-3390 infrastructure Confidence: High 192[.]151[.]236[.]138 IP address TG-3390 infrastructure Confidence: High 192[.]161[.]61[.]19 IP address TG-3390 infrastructure Confidence: High 192[.]161[.]61[.]20 IP address TG-3390 infrastructure Confidence: High 192[.]161[.]61[.]22 IP address TG-3390 infrastructure Confidence: High 103[.]24[.]1[.]54 IP address TG-3390 infrastructure Confidence: High 67[.]215[.]232[.]179 IP address TG-3390 infrastructure Confidence: High 96[.]44[.]177[.]195 IP address TG-3390 infrastructure Confidence: High 49[.]143[.]192[.]221 IP address TG-3390 infrastructure Confidence: Moderate 67[.]215[.]232[.]181 IP address TG-3390 infrastructure Confidence: Moderate 67[.]215[.]232[.]182 IP address TG-3390 infrastructure Confidence: Moderate 96[.]44[.]182[.]243 IP address TG-3390 infrastructure Confidence: Moderate 96[.]44[.]182[.]245 IP address TG-3390 infrastructure Confidence: Moderate 96[.]44[.]182[.]246 IP address TG-3390 infrastructure Confidence: Moderate 49[.]143[.]205[.]30 IP address TG-3390 infrastructure Confidence: Moderate working_success@163[.]com Email address TG-3390 email address Confidence: High ykcaihyl@163[.]com Email address TG-3390 email address Confidence: High working_success@163[.]com Email address TG-3390 email address Confidence: High yuming@yinsibaohu[.]aliyun[.]com Email address TG-3390 email address Confidence: Low 1cb4b74e9d030afbb18accf6ee2bfca1 MD5 hash HttpBrowser RAT dropper b333b5d541a0488f4e710ae97c46d9c2 MD5 hash HttpBrowser RAT dropper 86a05dcffe87caf7099dda44d9ec6b48 MD5 hash HttpBrowser RAT dropper 93e40da0bd78bebe5e1b98c6324e9b5b MD5 hash HttpBrowser RAT dropper f43d9c3e17e8480a36a62ef869212419 MD5 hash HttpBrowser RAT dropper 57e85fc30502a925ffed16082718ec6c MD5 hash HttpBrowser RAT dropper 4251aaf38a485b08d5562c6066370f09 MD5 hash HttpBrowser RAT dropper bbfd1e703f55ce779b536b5646a0cdc1 MD5 hash HttpBrowser RAT dropper 12a522cb96700c82dc964197adb57ddf MD5 hash HttpBrowser RAT dropper 728e5700a401498d91fb83159beec834 MD5 hash HttpBrowser RAT dropper 2bec1860499aae1dbcc92f48b276f998 MD5 hash HttpBrowser RAT dropper 014122d7851fa8bf4070a8fc2acd5dc5 MD5 hash HttpBrowser RAT 0ae996b31a2c3ed3f0bc14c7a96bea38 MD5 hash HttpBrowser RAT 1a76681986f99b216d5c0f17ccff2a12 MD5 hash HttpBrowser RAT 380c02b1fd93eb22028862117a2f19e3 MD5 hash HttpBrowser RAT 40a9a22da928cbb70df48d5a3106d887 MD5 hash HttpBrowser RAT 46cf2f9b4a4c35b62a32f28ac847c575 MD5 hash HttpBrowser RAT 5436c3469cb1d87ea404e8989b28758d MD5 hash HttpBrowser RAT 692cecc94ac440ec673dc69f37bc0409 MD5 hash HttpBrowser RAT 6a39a4e9933407aef31fdc3dfa2a2a95 MD5 hash HttpBrowser RAT 8b4ed3b392ee5da139c16b8bca38ea5e MD5 hash HttpBrowser RAT 8ea5d8bb6b28191e4436456c35477e39 MD5 hash HttpBrowser RAT 9271bcfbba056c8f80c7f04d72efd62d MD5 hash HttpBrowser RAT 996843b55a7c5c7a36e8c6956e599610 MD5 hash HttpBrowser RAT a554efc889714c70e9362bdc81fadd6a MD5 hash HttpBrowser RAT c9c93c2d62a084031872aab96202ee3e MD5 hash HttpBrowser RAT ddbdf0efdf26e0c267ef6155edb0e6b8 MD5 hash HttpBrowser RAT e7df18a17d8e7c2ed541a57020444068 MD5 hash HttpBrowser RAT ea4dcafc224f604c096032dde33a1d6d MD5 hash HttpBrowser RAT f658bb17d69912404f34532901edad0e MD5 hash HttpBrowser RAT f869a1b40f6438dfdd89e73480103211 MD5 hash HttpBrowser RAT 81ed752590752016cb1c12f3e9ab3454 MD5 hash HttpBrowser RAT 5ef719f8aeb9bf97beb24a5c2ed19173 MD5 hash HttpBrowser RAT 7ec91768376324be2bad4fd30b1c2051 MD5 hash HttpBrowser RAT 20c446ad2d7d1586138b493ecddfbbc7 MD5 hash HttpBrowser RAT 44cf0793e05ba843dd53bbc7020e0f1c MD5 hash HttpBrowser RAT 02826bb6636337963cc5162e6f87745e MD5 hash HttpBrowser RAT 1606ab7a54735af654ee6deb7427f652 MD5 hash HttpBrowser RAT 1539b3a5921203f0e2b6c05d692ffa27 MD5 hash HttpBrowser RAT c66e09429ad6669321e5c69b1d78c082 MD5 hash HttpBrowser RAT 225e10e362eeee15ec64246ac021f4d6 MD5 hash HttpBrowser RAT a631fc7c45cbdf80992b9d730df0ff51 MD5 hash HttpBrowser RAT af785b4df71da0786bcae233e55cf6c1 MD5 hash HttpBrowser RAT e3e0f3ad4ff3b981b513cc66b37583e8 MD5 hash HttpBrowser RAT 5cd0e97a1f09001af5213462aa3f7eb1 MD5 hash HttpBrowser RAT 15fd9c04d6099273a9acf8feab81acfe MD5 hash HttpBrowser RAT ea8b9e0bf95fc0c71694310cb685cd3b MD5 hash HttpBrowser RAT 5c3ab475be110ec59257617ee1388e01 MD5 hash HttpBrowser RAT 6aac7417ea1eb60a869597af9049b8fa MD5 hash HttpBrowser RAT 372f5370085a63f5b660fab635ce6cd7 MD5 hash HttpBrowser RAT fac4885324cb67bd421d6250fdc9533c MD5 hash HttpBrowser RAT e7e555615a07040bb5dbe9ce59ac5d11 MD5 hash HttpBrowser RAT ff34cb1d90d76a656546293e879afe22 MD5 hash HttpBrowser RAT 2abf7421c34c60d48e09325a206e720e MD5 Hash HttpBrowser RAT 396b4317db07cc8a2480786160b33044 MD5 hash HttpBrowser RAT e404873d3fcd0268db10657b53bdab64 MD5 hash HttpBrowser RAT 6e4189b20adb253b3c1ad7f8fdc95009 MD5 hash HttpBrowser RAT bff424289c38d389a8cafb16b47dfe39 MD5 hash HttpBrowser RAT 7294c7f3860315d51f74152e8ad353df MD5 hash HttpBrowser RAT 40092f76fea082b05e9631d91975a401 MD5 hash HttpBrowser RAT e42fce74bbd637c35320cf4e95f5e055 MD5 hash HttpBrowser RAT d0dafc3716a0d0ce393cde30b2b14a07 MD5 hash HttpBrowser RAT ae66bad0c7de88ab0ab1050c4bec9095 MD5 hash HttpBrowser RAT c7c2be1cd3780b2ba4638cef9a5422c7 MD5 hash HttpBrowser RAT 405949955b1cb65673c16bf7c8da2f4d MD5 hash HttpBrowser RAT ff4f052dbe73a81403df5e98313000fb MD5 hash HttpBrowser RAT b30fcd362c7b8ac75b7dddfe6cb448c7 MD5 hash HttpBrowser RAT 1d24f4d20b80562de46a8ac95d0ff8c2 MD5 hash HttpBrowser RAT 9538bbdb3a73201b40296e9d4dc80ade MD5 hash HttpBrowser RAT 46bb2caeda30c09a6337fd46ec98c32c MD5 hash HttpBrowser RAT 0c8842e48e80643d91dd290d0f786147 MD5 hash HttpBrowser RAT 0fc975c3c4e6c546b4f2b5aaed50dd78 MD5 hash HttpBrowser RAT 41be449f687828466ed7d87f0f30a278 MD5 hash HttpBrowser RAT 2b95caf3307ebd36cf405b1133b30aa8 MD5 hash HttpBrowser RAT ccc715a4d9d0157b9776deacdb26bf78 MD5 hash HttpBrowser RAT 37933acfa8d8e78c54413d88ca705e17 MD5 hash HttpBrowser RAT 2813c5a1c87f7e3d33174fed8b0988a1 MD5 hash HttpBrowser RAT 8f22834efe52ccefb17e768569eb36b9 MD5 hash HttpBrowser RAT 6f01628a0b5de757a8dbe99020499d10 MD5 hash HttpBrowser RAT 7f8d9f12f41156512b60ab17f8d85fe9 MD5 hash HttpBrowser RAT debe5ef2868b212f4251c58be1687660 MD5 hash HttpBrowser RAT e136d4ebab357fd19df8afe221460571 MD5 hash HttpBrowser RAT a86a906cfafaf1d7e3725bb0161b0cfe MD5 hash HttpBrowser RAT 03e1eac3512a726da30fff41dbc26039 MD5 hash HttpBrowser RAT baac5e5dd3ce7dae56cab6d3dac14e15 MD5 hash HttpBrowser RAT 0f7dde31fbeb5ddbb6230c401ed41561 MD5 hash HttpBrowser RAT 36d957f6058f954541450f5a85b28d4b MD5 hash HttpBrowser RAT 42d874f91145bd2ddf818735346022d8 MD5 hash HttpBrowser RAT 3468034fc3ac65c60a1f1231e3c45107 MD5 hash HttpBrowser RAT 4e3b51a6a18bdb770fc38650a70b1883 MD5 hash HttpBrowser RAT 3647068230839f9cadf0fd4bd82ade84 MD5 hash HttpBrowser RAT 550922107d18aa4caad0267997709ee5 MD5 hash HttpBrowser RAT d8f0a6450f9df637daade521dc90d29d MD5 hash HttpBrowser RAT bf2e2283b19b0febc4bd1f47aa82a94c MD5 hash HttpBrowser RAT d0eec2294a70ceff84ca8d0ed7939fb5 MD5 hash HttpBrowser RAT e91d2464c8767552036dd0294fc7e6fb MD5 hash HttpBrowser RAT f627bc2db3cab34d97c8949931cb432d MD5 hash HttpBrowser RAT b313bbe17bd5ee9c00acff3bfccdb48a MD5 hash PlugX RAT dropper f7a842eb1364d1269b40a344510068e8 MD5 hash PlugX RAT dropper 8dacca7dd24844935fcd34e6c9609416 MD5 hash PlugX RAT dropper 7cffd679599fb8579abae8f32ce49026 MD5 hash PlugX RAT dropper 462fd01302bc40624a44b7960d2894cd MD5 hash PlugX RAT dropper

kbandla commented 8 years ago

Added in commit bd1f924b7113957bff668ef861463a823d8f12f7. Thanks @chrisddom !