← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Insider Information: An intrusion campaign targeting Chinese language news sites
WHITE AlienVault 2017-07-05 Modified: 2017-07-25
42
IOCs
MEDIUM VOLUME
This report reveals a campaign of reconnaissance, phishing, and malware operations that use content and domains made to mimic Chinese language news websites. CitizenLab connect the infrastructure used in the campaign to previous malware operations targeting a Tibetan radio station and the Thai government. We also connect one of the code signing certificates we observed to a campaign targeting gaming companies. It is notable that NetWire was also used as a payload in that campaign.
phishingmalwarenewsNetWirecitizenlab
Indicators of Compromise (42)
All email domain URL hostname FileHash-MD5 YARA
TYPEINDICATORDESCRIPTIONCREATED
email aobama_5@yahoo.com 2017-07-05
domain bowenpres.com 2017-07-05
domain bowenpress.net 2017-07-05
domain bowenpross.com 2017-07-05
domain chinadagitaltimes.net 2017-07-05
domain datalink.one 2017-07-05
URL http://43.240.14.37/asdasdasadqddd12222111.php/article.asp 2017-07-05
URL http://chinadagitaltimes.net/2016/07/chinese-hackers-blamed-multiple-breaches-fdic 2017-07-05
URL http://get.adobe.com.bowenpress.org/Adobe/update/20160703/AdobeUpdate20160703.exe 2017-07-05
URL http://get.adobe.com.bowenpress.org/Adobe/update/20160812/AdobeUpdate20160812.exe 2017-07-05
URL http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate.html 2017-07-05
URL http://get.adobe.com.bowenpress.org/Adobe/update/20161201/AdobeUpdate20161201.exe 2017-07-05
URL http://get.adobe.com.bowenpress.org/Adobe/update/20170312/AdobeUpdate20170312.exe 2017-07-05
hostname dns.bowenpress.org 2017-07-05
hostname email23.secuerserver.com 2017-07-05
hostname get.adobe.com.bowenpress.org 2017-07-05
hostname hk.secuerserver.com 2017-07-05
hostname pop.secuerserver.com 2017-07-05
hostname smtpout.secuerserver.com 2017-07-05
hostname www.bowenpress.org 2017-07-05
hostname www.mail.secuerserver.com 2017-07-05
hostname www.secuerserver.com 2017-07-05
hostname www.vnews.hk 2017-07-05
FileHash-MD5 029ba5f0f6997bc36a094e86848a5b82 2017-07-05
FileHash-MD5 13b148aead5e844f7262da768873cec0 2017-07-05
FileHash-MD5 19c5f8829444956ba30e023aaaec6408 2017-07-05
FileHash-MD5 2332aa40d15399179c068ab205a5303d 2017-07-05
FileHash-MD5 4ddf012d8a42ad2666e06ad2f0a8410e 2017-07-05
FileHash-MD5 88e027b1ef7b2da1766e6b6819bba0f0 2017-07-05
FileHash-MD5 88f43fe753e64d9c536fca16979984ef 2017-07-05
FileHash-MD5 945de4d3a046a698aec222fc90a148ba 2017-07-05
FileHash-MD5 95efa51b52f121cec239980127b7f96b 2017-07-05
FileHash-MD5 ac5763000ae435875f3b709a5f23ecc0 2017-07-05
FileHash-MD5 bb080489dbc98a59cac130475e019fb2 2017-07-05
FileHash-MD5 c1dabd54a672cbc2747c53a8041d5602 2017-07-05
FileHash-MD5 d80fc6a4f175e3ab417b9f96c3b37c73 2017-07-05
FileHash-MD5 e0338b1f010fdc4751de5f58e4acf2ad 2017-07-05
FileHash-MD5 e841ecaa44b3589120b72e60b53f39c6 2017-07-05
FileHash-MD5 f282fd20d7eaebe848b5111ecdae82a6 2017-07-05
email aisia.anminda8@mail.com 2017-07-05
email hellomice@mail.com 2017-07-05
YARA d8f68ce54b05124967d1f00e784fa9006e1d48b4 2017-07-25
References (2)
↗ https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_InsiderInfo/indicators.csv ↗ https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/