2024-07-16 TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies

📃Title: TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
📅Date: 2024-07-16
🔗References:

• https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: broad-based
• MY-relevancy: relevant
• action-taken: diamond-model

🔖MISP Galaxies:

• producer Recorded-Future
• threat-actor Storm-2077
• malpedia=“Pantegana”
• malpedia=“SparkRAT”
• sector=“Diplomacy”
• sector=“Trade”
• target-information=“Cambodia”
• target-information=“Cuba”
• target-information=“Djibouti”
• target-information=“Dominican Republic”
• target-information=“Fiji”
• target-information=“France”
• target-information=“Indonesia”
• target-information=“Italy”
• target-information=“Japan”
• target-information=“Malaysia”
• target-information=“Netherlands”
• target-information=“Taiwan”
• target-information=“United Kingdom”
• target-information=“United States”
• target-information=“Vietnam”
• mitre-attack-pattern=[‘T1071’, ‘T1102.002’, ‘T1027.009’, ‘T1027.013’, ‘T1190’, ‘T1055’, ‘T1583.003’, ‘T1595.002’]

MISP event uuid: 3e513f64-7c35-4a0b-8f70-0ccfa4dfd5ff

Indicator of Compromise (IoCs)

type,value,comment
ip-dst, 209.141.46.83, 'TAG-100 C2 Infrastructure'
ip-dst, 209.141.57.75, 'TAG-100 C2 Infrastructure'
ip-dst, 205.185.126.208, 'TAG-100 C2 Infrastructure'
ip-dst, 38.54.115.34, 'TAG-100 C2 Infrastructure'
ip-dst, 209.141.42.131, 'TAG-100 C2 Infrastructure'
ip-dst, 104.244.79.119, 'TAG-100 C2 Infrastructure'
ip-dst, 207.246.108.119, 'TAG-100 C2 Infrastructure'
ip-dst, 38.54.15.164, 'TAG-100 C2 Infrastructure'
ip-dst, 198.98.49.41, 'TAG-100 C2 Infrastructure'
ip-dst, 209.141.50.215, 'TAG-100 C2 Infrastructure'
ip-dst, 205.185.127.12, 'TAG-100 C2 Infrastructure'
ip-dst, 205.185.117.73, 'TAG-100 C2 Infrastructure'
ip-dst, 216.238.68.36, 'TAG-100 C2 Infrastructure'
ip-dst, 209.141.37.217, 'TAG-100 C2 Infrastructure'
ip-dst, 205.185.121.169, 'TAG-100 C2 Infrastructure'
ip-dst, 144.202.125.201, 'TAG-100 C2 Infrastructure'
ip-dst, 173.254.229.93, 'TAG-100 C2 Infrastructure'
ip-dst, 205.185.122.35, 'TAG-100 Exploitation Servers'
ip-dst, 209.141.47.6, 'TAG-100 Exploitation Servers'
hostname, www.megtech.xyz, 'TAG-100 Cobalt Strike C2 Domain'
sha256, e3aab908800cb4601bc4a87ac9ac48d816ced57cdb409b6e2468956cc50bdf04, 'Cobalt Strike'
sha256, 8eb3617768ce4693b726bb8187e5cccea3359de0196d6f2bbe555c31f12d1234, 'Cobalt Strike'
sha256, 23efecc03506a9428175546a4b7d40c8a943c252110e83dec132c6a5db8c4dd6, 'SparkRAT/LESLIELOADER'
sha256, ec45da0ca70a9b71652cc95d51665f7ad568294bd5652c395a119bccd613e9b4, 'SparkRAT/LESLIELOADER'
sha256, b8cab11421eb4731c16cf3c34ca2b3f2a758d5e112f877b90a18b3e146c8add0, 'SparkRAT/LESLIELOADER'

Full IOCs available in Rectifyq's MISP```