2020-07-01 Mobile APT Surveillance Campaigns Targeting Uyghurs

📃Title: Mobile APT Surveillance Campaigns Targeting Uyghurs
📅Date: 2020-07-01
🔗References:

• https://blog.lookout.com/multiyear-surveillance-campaigns-discovered-targeting-uyghurs
• https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

Description

A collection of long-running Android tooling connected to a Chinese mAPT (mobile APT) actor.

🔖Rectifyq Taxonomies:

• relevancy: 🟡 Somewhat Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: targeted
• MY-relevancy: somewhat-relevant
• topic: mobile-attack

🔖MISP Galaxies:

• target-information=“Afghanistan”
• target-information=“China”
• target-information=“Egypt”
• target-information=“France”
• target-information=“Indonesia”
• target-information=“Iran”
• target-information=“Kazakhstan”
• target-information=“Kuwait”
• target-information=“Malaysia”
• target-information=“Pakistan”
• target-information=“Saudi Arabia”
• target-information=“Turkey”
• target-information=“Uzbekistan”
• malpedia=“CarbonSteal”
• malpedia=“DoubleAgent”
• malpedia=“GoldenEagle”
• malpedia=“SilkBean”
• threat-actor APT15
• mitre-attack-pattern=[]

MISP event uuid: 4b09400c-8690-4b8d-99a6-e274b658e7b7

Indicator of Compromise (IoCs)

type,value,comment
hostname, www.turkyedu-online.com, 'SilkBean C2'
hostname, www.englishedu-online.com, 'SilkBean C2'
hostname, www.turknews-online.com, 'SilkBean C2'
sha1, f99a071e2a1da49872a50d8a6b1a8b5b9b927233, 'SilkBean No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
hostname, youtube.dynamicdns.org.uk, 'DoubleAgent C2'
hostname, tree.ddns.us, 'DoubleAgent C2'
hostname, coco.wikaba.com, 'DoubleAgent C2'
hostname, umare.zyns.com, 'DoubleAgent C2'
hostname, phpyahoo.mrbasic.com, 'DoubleAgent C2'
hostname, androidapps.spdns.eu, 'DoubleAgent C2'
hostname, androidapps.fvk.cc, 'DoubleAgent C2'
hostname, androidapps.linkpc.net, 'DoubleAgent C2'
hostname, androidapps.duia.in, 'DoubleAgent C2'
hostname, heartsys.dnsapi.info, 'DoubleAgent C2'
hostname, androidapps.nsupdate.info, 'DoubleAgent C2'
hostname, android.apps.us.to, 'DoubleAgent C2'
hostname, androidapps.spdns.org, 'DoubleAgent C2'
hostname, androidapps.npff.co, 'DoubleAgent C2'
hostname, androidapps.home.hn.org, 'DoubleAgent C2'
hostname, androidapps.nerdpol.ovh, 'DoubleAgent C2'
hostname, androidapps.myfirewall.org, 'DoubleAgent C2'
hostname, androidapps.jetos.com, 'DoubleAgent C2'
domain, androidsapps.ml, 'DoubleAgent C2'
hostname, androidapps.tempors.com, 'DoubleAgent C2'
domain, wephone.top, 'DoubleAgent C2'
hostname, www.cookedu-online.com, 'DoubleAgent C2'
ip-dst, 176.31.115.156, 'DoubleAgent C2'
domain, babyedu-online.com, 'DoubleAgent C2'
sha1, ae08317008f7cf7ed4e26cb27fba3c55aa884bce, 'DoubleAgent No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 584dfae56ba04776d630f8a0179c9799617dfc85, 'DoubleAgent No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, ae7b653af51f5216af8e11042370239dcc1f4873, 'DoubleAgent No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 4ec4bfc9cfe555e2990b447962181c43272afd3b, 'DoubleAgent No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 34de7568ade42cdce527b218f465098a200e4115, 'DoubleAgent No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, ae9339dae4030729de951fac46df93839b952515, 'DoubleAgent No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
hostname, joke.upupdate.cn, 'CarbonSteal C2'
hostname, sz.secpert.com, 'CarbonSteal C2'
hostname, 6006.upupdate.cn, 'CarbonSteal C2'
hostname, ss903.w3.ezua.com, 'CarbonSteal C2'
hostname, ss904.w3.ezua.com, 'CarbonSteal C2'
hostname, 6006.secpert.com, 'CarbonSteal C2'
hostname, s101.secpert.com, 'CarbonSteal C2'
hostname, s2.upupdate.cn, 'CarbonSteal C2'
hostname, amote-366.vicp.cc, 'CarbonSteal C2'
sha1, bdd778a75a8ea74c1dd0a06fc1ae4d41e5518d91, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, a3f91dde5854bd781b15c307ce03bcada1baf6fc, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, f55a23e54e91c843f8fffb243ba0d1ebaf4d5d3f, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 65cac7c80f3ab562b0a239bc36218bcec70f6ae9, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 60604d7a9c42c2becf2f2f5af6822d058eb6ae98, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, f2341bef7212cd6d15638c30076460b11321a2d3, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 6ab2414fd44d84303e8698548ee6c2fd4dfd78c1, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, d9ad43d4192c16190786ae89190113931b438909, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, aefaab4fd236b25cd7fe91210c0176d631b7bb6c, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 0fc290c6448dfaca535768c594a91e5d19855079, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 9becc7919a63ec5188629047e7ca02d7a592f314, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 9e6297136ca7bc8da094bf3421c8be4595ee0db4, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 1df29ec83d0858c04557a56d10e5ee482ffc03c4, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, eb1243d5f293087643db7263a40516026b69e697, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, dfc7dccc9a0738a591ef302baa45ecd8e45c0a34, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, ecbe302daafb23eba47960031c659c42e1f9b24b, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 82fe511a4fda38816eea0b3e4c13cf1b6c188e37, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
sha1, 23596e0d4f5cc9e53bc8de92f3899dd16e44448d, 'CarbonSteal No sample in VT\r\nLast check:01/03/2025 No sample in VT\r\nLast check:01/03/2025'
ip-dst, 150.107.3.188, 'GoldenEagle C2'
hostname, www.vipapkdownload.com, 'GoldenEagle C2'
hostname, www.nortonservice.net, 'GoldenEagle C2'
domain, vipappdownload.com, 'GoldenEagle C2'
ip-dst, 103.56.17.108, 'GoldenEagle C2'
ip-dst, 101.78.230.99, 'GoldenEagle C2'
domain, googlleservice.com, 'GoldenEagle C2'
domain, symantecupdate.net, 'GoldenEagle C2'
domain, googleanalyseservice.net, 'GoldenEagle C2'
sha1, 0b2ff1231fd8985d54c0508fb541ecd4ed56c10e, 'GoldenEagle No sample in VT\r\nLast check:01/03/2025'
sha1, 75e7cf299648154142ad93d2c52a4327b3f61dd3, 'GoldenEagle No sample in VT\r\nLast check:01/03/2025'
sha1, d51930a82ba46cf147b0a2a330aa47f988cd3bf0, 'GoldenEagle No sample in VT\r\nLast check:01/03/2025'

Full IOCs available in Rectifyq's MISP```