By Ismael Rocha: An advanced persistent threat(APT) works to access computer networks and systems without being detected or noticed. These threats, sometimes executed by a nation-state or a state-sponsored group, can steal private and secret information, damage IT systems and disrupt the functioning of vital systems. Defending against advanced persistent threats is a difficult task as they act stealthily and their intrusions can be difficult to recognize.
Brazil is a country with a wide variety of economic sectors, such as: education/research, finance, health, government/military, retail, energy, communication, technology, among others. These sectors generate large sums of money for governments and organizations, consequently arousing the interest of advanced threat groups. Thus, it is possible to note the great increase in cyber attacks for financial gain, access to secret and confidential files or country disruption by cybercriminals.
About Red Apollo (APT10)
APT10 (Red Apollo) is a cyber threat group that is widely believed to be a Chinese state-sponsored operation. They are known for targeting organizations around the world in various industries, including information technology, communications, engineering, aerospace and others.
APT10's main objective is to steal intellectual property, confidential information and data from organizations around the world for economic gain. They usually carry out their operations through phishing, custom malware and other advanced social engineering techniques to gain access to corporate networks and exfiltrate data.
The group is also known for its long-term operations and ability to remain hidden in victims' networks for months or even years, allowing them to obtain a significant amount of confidential data. APT10 Red Apollo is considered one of the most advanced and persistent cyber threat groups currently active.
TTPs - MITRE ATT&CK
| Tactics | Technique | Details |
| Discovery | T1046 | Attackers try to obtain a list of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to exploitation by remote software. |
| Initial Access | T1566 | Sending malicious Office documents by e-mail as part of spearphishing campaigns, as well as executables disguised as documents. |
| Execution | T1204 | It tries to get victims to open malicious files such as Windows shortcuts (.lnk) and/or Microsoft Office documents sent by e-mail. |
| Execution | T1059 | Using PowerSploit to inject shellcode into PowerShell. |
| Lateral Movement | T1021 | Use of RDP connections to move around the victim's network. |
| Defense Evasion | T1027 | Encoding strings in your malware with base64, as well as with a simple single-byte XOR obfuscation using the 0x40 key. |
| Defense Evasion | T1036 | Use of esentutl to change file extensions to their true type that were masked as .txt files. |
| Initial Access | T1078 | Use of valid accounts, including those shared between managed service providers and clients, to move between the two environments. |
Indicators of Commitment (IoCs)
ISH Technology handles several Indicators of Commitment collected through open sources, closed sources and also through analysis performed by the Heimdall security team. In light of this, below we list all Indicators of Commitments (IOCs) related to the analysis of the artifact(s) in this report.
| Malicious/analyzed artifact compromise indicators | |
| md5: | 577a47811b3c57a663bcbf2aab99c9e3 |
| sha1: | dbc48357bfbe41f5bfdd3045066486e76a23ad2d |
| sha256: | 70225015489cae369d311b62724ef0caf658ffdf62e5edbafd8267a8842e7696 |
| File name: | 70225015489cae369d311b62724ef0caf658ffdf62e5edbafd8267a8842e7696.bin |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 69ef2d7f9ed29840b60a7fd32030cbd1 |
| sha1: | b24e254f6fdd67318547915495f56f8f2a0ac4fe |
| sha256: | 91f8805e64f434099d0137d0b7ebf3db3ccbf5d76cd071d1604e3e12a348f2d9 |
| File name: | mpclient.dll |
| Malicious/analyzed artifact compromise indicators | |
| md5: | f259765905cd16ff40132f35c85a862a |
| sha1: | d9efd4c4e1fb4e3d4a171c4ca0985839ad1cdee9 |
| sha256: | 7fe5674c9a3af8413d0ec71072a1c27d39edc14e4d110bfeb79d1148d55ce0b6 |
| File name: | 7fe5674c9a3af8413d0ec71072a1c27d39edc14e4d110bfeb79d1148d55ce0b6.bin |
| Malicious/analyzed artifact compromise indicators | |
| md5: | bde2a3c8e034d30ce13e684f324c6702 |
| sha1: | a413f4bcb7406710b76fabdaba95bb4690b24406 |
| sha256: | f04f444d9f17d4534d37d3369bf0b20415186862986e62a25f59fd0c2c87562f |
| File name: | mpclient.dll |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 0c4a84b66832a08dccc42b478d9d5e1b |
| sha1: | 160320b920a5ef22ac17b48146152ffbef60461f |
| sha256: | 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b |
| File name: | 5b56c5d86347e164c6e571c86dbf5b1535eae6b979fede6ed66b01e79ea33b7b.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 4c3c7053ec145ad3976b2a84038c5feb |
| sha1: | 3246867705e8aad60491fe195bcc83af79470b22 |
| sha256: | 15b52c468cfd4dee4599ec22b1c04b977416fbe5220ab30a097f403903d28a3a |
| File name: | vmtools.ini |
| Malicious/analyzed artifact compromise indicators | |
| md5: | a4a6abf4ed4c9447683fba729a17197b |
| sha1: | ead02cb3f6b811427f2635a18398392bc2ebca3a |
| sha256: | b0fb6c7eecbf711b2c503d7f8f3cf949404e2dd256b621c8cf1f3a2bdfb54301 |
| File name: | glib-2.0.dll |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 809fcab1225981e87060033d72edaeaf |
| sha1: | 64f5044709efc77230484cec8a0d784947056022 |
| sha256: | 62fea3942e884855283faf3fb68f41be747c5baa922d140509237c2d7bacdd17 |
| File name: | 62fea3942e884855283faf3fb68f41be747c5baa922d140509237c2d7bacdd17.bin |
| Malicious/analyzed artifact compromise indicators | |
| md5: | b16bb2f910f21e2d4f6e2aa1a1ea0d8b |
| sha1: | a75e9b702a892cc3e531e158ab2e4206b939f379 |
| sha256: | 8502852561fcb867d9cbf45ac24c5985fa195432b542dbf8753d5f3d7175b120 |
| File name: | LockDown.dll |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 78c309be8437e7c1d2dd3f12d7c034c8 |
| sha1: | 8c4f32b532dcbec914228baf16cf6b21fb12e2fc |
| sha256: | c10d7ea92fa96c79cfc3dd6957cad346ae3efd611eb4cca6e368c5c0fcad87be |
| File name: | sample.doc |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 77c02893cf4a86ad2fd629aea4db772f |
| sha1: | 851234d83f283c87b9195178b8e6af6e7836fb1a |
| sha256: | 00d33ab9a73211ba9ed30d0afbe8cc2a1a2a4a60c90fe7f13fa2250d92a7ad85 |
| File name: | tw.rtf |
| Malicious/analyzed artifact compromise indicators | |
| md5: | db212129be94fe77362751c557d0e893 |
| sha1: | 7fe6c8191749767254513b03da03cfbf6dd6c139 |
| sha256: | fadf362a52dcf884f0d41ce3df9eaa9bb30227afda50c0e0657c096baff501f0 |
| File name: | db212129be94fe77362751c557d0e893.vir |
| Malicious/analyzed artifact compromise indicators | |
| md5: | faf9576ce2af23aac67d3087eb85a92b |
| sha1: | daadf23bf09519e77a8d9259164e893bddd6e621 |
| sha256: | db28df72ac3a076cc80eae301c4a1bcb1feab27331f33c928a99879f8290bcb3 |
| File name: | Adobechoose.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | e6c596cfa163fe9b8883c7618d594018 |
| sha1: | 4bc116cfb79ed3f116b8c1da4d82a435adf7c534 |
| sha256: | c5e9df74abe15f2751681117fd7efbce03f93157a3ccc314d51da9060dab3790 |
| File name: | scvhost |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 172ce304ce8946ae7be8d223d4520d80 |
| sha1: | c90b19dd970360ad8a0bc74ee6ecf3a002714698 |
| sha256: | d97e64eef62f109d19cb00651224fdfcfb2a14317c420096230627680be0bd78 |
| File name: | Invitation.doc |
| Malicious/analyzed artifact compromise indicators | |
| md5: | b08694e14a9b966d8033b42b58ab727d |
| sha1: | 6716078e371d4bce479e35146c25a753b2b02202 |
| sha256: | af69ad95e6564d682b0f8220dd8c4cca61b60227add59c883eea960350747084 |
| File name: | PiShellPut |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 05ac9875df6a4e1b7b7a21099d27caaf |
| sha1: | 6a1ce9b2c7d8b1309941d8ce06278d3ab6eb6a2a |
| sha256: | 68bad787576e8766b6d1747c25829c784ddc9a9783872a50e6b5ee10fe17d6c3 |
| File name: | vt-upload-Db6R6 |
| Malicious/analyzed artifact compromise indicators | |
| md5: | bd092cc922a8f83880b896a0911774a6 |
| sha1: | 06c9661095a9063c8028c493874f178b15aa73f4 |
| sha256: | 02b3114e249b11d6f051450356704ddf7871aecbdbab5657fc0ccd17ce13e514 |
| File name: | Live360.exe |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 056725205f97051a381ebe7894ba0671 |
| sha1: | 5fd8e622f205a2ffb408399eb3848a33058fdfc6 |
| sha256: | b88fe756176e2ee448bdc1f19c5c5675ecf465034a77e106679970b787942511 |
| File name: | kugou.dll |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 156ce6a9d3eaac1584b8df714a35c530 |
| sha1: | 75800a58d1c42ecba6415c3b5b3a07e65019b456 |
| sha256: | 98aefbea97d086f0bbe082b6bb7499f4ee1fbf707766f3b2739ed99857802ad8 |
| File name: | 1.xls |
| Malicious/analyzed artifact compromise indicators | |
| md5: | 667989ffa5e77943f3384e78adf93510 |
| sha1: | aee17dbab01ed334bb94506fcbc2ed259242159e |
| sha256: | 7eeaa97d346bc3f8090e5b742f42e8900127703420295279ac7e04d06ebe0a04 |
| File name: | 667989ffa5e77943f3384e78adf93510.virobj |
Distribution URLs and C2 IP addresses:
| 114.55[.]109[.]199 |
| 185.225[.]17[.]39 |
| 43.254[.]216[.]104 |
| 45.124[.]115[.]103 |
| 161.82[.]181[.]4 |
| 43.254[.]219[.]153 |
| 45.124[.]115[.]103 |
| 185.225[.]19[.]17 |
| 94.158[.]245[.]249 |
| 5.252[.]179[.]227 |
| 222.186[.]151[.]141 |
| 47.111[.]22[.]65 |
| 154.223[.]141[.]36 |
| 103.139[.]2[.]93 |
| apple[.]ikwb[.]com |
| support1[.]mrface[.]com |
| unspa[.]hostport9[.]net |
| aotuo[.]9966[.]org |
| dedydns[.]ns01[.]us |
| services[.]arkouowi[.]com |
| creatos[.]kozow[.]com |
| quick[.]oldbmwy[.]com |
| jepsen[.]r3u8[.]com |
| sakai[.]unhamj[.]com |
| nttdata[.]otzo[.]com |
| forward[.]davidgagnon[.]org |
| cvnx[.]zyns[.]com |
| zebra[.]wthelpdesk[.]com |
| algorithm[.]ddnsgeek[.]com |
| music[.]websegoo[.]net |
| hk[.]have8000[.]com |
| fbi[.]sexxxy[.]biz |
| friendlysupport[.]giize[.]com |
| idpmus[.]hostport9[.]net |
| lion[.]wchildress[.]com |
| vm[.]vmdnsup[.]org |
| scorpion[.]poulsenv[.]com |
| web[.]casacam[.]net |
| synssl[.]dnset[.]com |
| smo[.]gadskysun[.]com |
| abcd120719[.]6600[.]org |
| firtstdata[.]kozow[.]com |
| nunluck[.]re26[.]com |
| send[.]mofa[.]ns01[.]info |
| bulk[.]tmpxctl[.]com |
| yz[.]chromeenter[.]com |
| kawasaki[.]cloud-maste[.]com |
| un[.]dnsrd[.]com |
| record[.]wschandler[.]com |
| tv [.]goldtoyota[.]com |
| cpu[.]4pu[.]com |
| av[.]ddns[.]us |
| send[.]have8000[.]com |
| contacts[.]rvenee[.]com |
| trems[.]rvenee[.]com |
| video[.]vmdnsup[.]org |
| www[.]jadl-or[.]com |
| art[.]p6p6[.]net |
| vmyiersend[.]websago[.]info |
| trasul[.]mypicture[.]info |
| 1j[.]www1[.]biz |
| google[.]usrobothome[.]com |
| bak[.]have8000[.]com |
| google[.]macforlinux[.]net |
| herring[.]kozow[.]com |
| be[.]yourtrap[.]com |
| grandeur[.]kozow[.]com |
| wike[.]wikaba[.]com |
| bk56[.]twilightparadox[.]com |
| kmd[.]crabdance[.]com |
| img[.]microtoo[.]info |
| inspgon[.]re26[.]com |
| iphone[.]vizvaz[.]com |
| babyprintf[.]2288[.]org |
| cia[.]toh[.]info |
| last[.]p6p6[.]net |
| jimin[.]jimindaddy[.]com |
| stone[.]jumpingcrab[.]com |
| sky[.]oldbmwy[.]com |
| army[.]xxuz[.]com |
| sh[.]chromeenter[.]com |
| mailj[.]hostport9[.]net |
| domain[.]casacam[.]net |
| applelib120102[.]9966[.]org |
| szdns[.]etfiber[.]net |
| 2014[.]zzux[.]com |
| voov[.]2288[.]org |
| document[.]methoder[.]com |
| sbuudd[.]webssl9[.]info |
| baby[.]macforlinux[.]net |
| ducksow[.]ddnsgeek[.]com |
| jpn[.]longmusic[.]com |
| malware[.]dsmtp[.]com |
| zone[.]usrobothome[.]com |
| area[.]wthelpdesk[.]com |
| resource[.]arkouowi[.]com |
| sendmsg[.]jumpingcrab[.]com |
| japan[.]fuckanti[.]com |
| hk[.]cmdnetview[.]com |
| record[.]hostport9[.]net |
| cao[.]p6p6[.]net |
| im[.]suibian2010[.]info |
| taipei[.]yourtrap[.]com |
| sstday[.]jkub[.]com |
| diamond[.]ninth[.]biz |
| start[.]usrobothome[.]com |
| amsidgoo[.]thedomais[.]info |
| janpan[.]bigmoney[.]biz |
| info[.]uroljp[.]com |
| iu[.]niushenghuo[.]info |
| usa[.]radiorig[.]com |
| fukuoka[.]cloud-maste[.]com |
| sz[.]thedomais[.]info |
| whellbuy[.]wschandler[.]com |
| app[.]lehigtapp[.]com |
| firefoxcomt[.]arkouowi[.]com |
| kawasaki[.]unhamj[.]com |
| drives[.]methoder[.]com |
| apple[.]cmdnetview[.]com |
| messagea[.]emailfound[.]info |
| gold[.]polopurple[.]com |
| sdmsg[.]onmypc[.]org |
| fiveavmersi[.]websegoo[.]net |
| dick[.]ccfchrist[.]com |
| byeserver[.]com |
| dnsgogle[.]com |
| gamewushu[.]com |
| gxxservice[.]com |
| ibmupdate[.]com |
| infestexe[.]com |
| kasparsky[.]net |
| linux-update[.]net |
| macfee[.]ga |
| micros0ff[.]com |
| micros0tf[.]com |
| notped[.]com |
| operatingbox[.]com |
| paniesx[.]com |
| serverbye[.]com |
| sexyjapan.ddns[.]info |
| symanteclabs[.]com |
| techniciantext[.]com |
| win7update[.]net |
| xigncodeservice[.]com |
| agegamepay[.]com |
| ageofwuxia[.]com |
| ageofwuxia[.]info |
| ageofwuxia[.]net |
| ageofwuxia[.]org |
Note: The links and IP addresses listed above may be active; be careful when manipulating these IoCs, to avoid clicking on them and becoming a victim of the malicious content hosted on the IoC.
Why have a Threat Hunting team?
The greatest danger of an APT is that it can remain active for long periods of time, often going undetected by cybersecurity defenses, allowing attackers to exfiltrate valuable information and cause significant damage. One of the main characteristics of an APT is its ability to avoid detection by traditional security solutions, such as firewalls and antivirus. Advanced threat groups often use sophisticated social engineering, phishing and reverse engineering techniques to infiltrate corporate networks and government institutions, causing major financial damage.
Traditional security solutions, such as firewalls and antivirus, are effective at detecting known threats, but can fail to detect new threats that are specifically designed to prevent them. The Threat Hunting team proactively searches for threats throughout the organization's IT infrastructure, using advanced threat analysis and forensic investigation techniques to find suspicious activity or anomalies that may indicate the presence of a threat. This allows the team to take immediate action to stop or neutralize a threat before it causes significant damage to the organization.
In short, a Threat Hunting team is important because it provides an additional layer of proactive protection against cyber threats, enabling organizations to identify and respond to advanced cyber threats more quickly and effectively.
How to protect yourself from the Red Apollo group
In addition to the indicators of compromise listed below by the ISH, measures may be adopted to mitigate the infection of the aforementioned to advanced persistent threats, such as:
- Keeping software up to date: it is important to keep the operating system, applications and security software up to date with the latest security updates. This helps to correct known vulnerabilities that can be exploited by APTs.
- Use multi-factor authentication: this can help protect against phishing attacks and stolen credentials. It adds an extra layer of security by requiring the user to provide additional information, apart from a password, in order to authenticate.
- Do not download artifacts contained in suspicious emails and do not click on links in emails that appear to have malicious behavior.
- Use encryption: this can help protect sensitive information, such as customer and corporate data, from being accessed by APTs.
- Backing up regularly: cultivating this practice for critical data can help protect against data loss due to APT attacks.
- Implementing network security controls: such as firewalls, IDS/IPS and advanced threat detection, can help identify and block APTs before they can cause damage.
- Carry out security awareness training: this can help educate users about security threats and how to protect themselves against them.
- Perform behavior analysis: this can help detect suspicious activity within the network, such as transferring large amounts of data to unknown locations or attempting to access confidential resources outside of working hours.
- Adopt a company-wide security posture: to be effective against APTs it is important that companies adopt a comprehensive company-wide approach to security, including policies and procedures, security controls and regular security awareness training.
References
- Heimdall by ISH Technology
- Mitre att&ck
- Report published by Cyware
- Alienvault