← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Insider Information: An intrusion campaign targeting Chinese language news sites
WHITE AlienVault 2017-07-05 Modified: 2017-07-25
42
IOCs
MEDIUM VOLUME
This report reveals a campaign of reconnaissance, phishing, and malware operations that use content and domains made to mimic Chinese language news websites. CitizenLab connect the infrastructure used in the campaign to previous malware operations targeting a Tibetan radio station and the Thai government. We also connect one of the code signing certificates we observed to a campaign targeting gaming companies. It is notable that NetWire was also used as a payload in that campaign.
phishingmalwarenewsNetWirecitizenlab
Indicators of Compromise (16 / 42 total)
All email domain URL hostname FileHash-MD5 YARA
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 029ba5f0f6997bc36a094e86848a5b82 2017-07-05
FileHash-MD5 13b148aead5e844f7262da768873cec0 2017-07-05
FileHash-MD5 19c5f8829444956ba30e023aaaec6408 2017-07-05
FileHash-MD5 2332aa40d15399179c068ab205a5303d 2017-07-05
FileHash-MD5 4ddf012d8a42ad2666e06ad2f0a8410e 2017-07-05
FileHash-MD5 88e027b1ef7b2da1766e6b6819bba0f0 2017-07-05
FileHash-MD5 88f43fe753e64d9c536fca16979984ef 2017-07-05
FileHash-MD5 945de4d3a046a698aec222fc90a148ba 2017-07-05
FileHash-MD5 95efa51b52f121cec239980127b7f96b 2017-07-05
FileHash-MD5 ac5763000ae435875f3b709a5f23ecc0 2017-07-05
FileHash-MD5 bb080489dbc98a59cac130475e019fb2 2017-07-05
FileHash-MD5 c1dabd54a672cbc2747c53a8041d5602 2017-07-05
FileHash-MD5 d80fc6a4f175e3ab417b9f96c3b37c73 2017-07-05
FileHash-MD5 e0338b1f010fdc4751de5f58e4acf2ad 2017-07-05
FileHash-MD5 e841ecaa44b3589120b72e60b53f39c6 2017-07-05
FileHash-MD5 f282fd20d7eaebe848b5111ecdae82a6 2017-07-05
References (2)
↗ https://raw.githubusercontent.com/citizenlab/malware-indicators/master/201707_InsiderInfo/indicators.csv ↗ https://citizenlab.org/2017/07/insider-information-an-intrusion-campaign-targeting-chinese-language-news-sites/