Rectifyq📃Title: Advanced techniques used in a Malaysian-focused APT campaign
📅Date: 2020-06-22
🔗References:
Description
“The Elastic Security Intelligence & Analytics Team researches adversary innovations of many kinds, and has recently focused on an activity group that leveraged remote templates, VBA code evasion, and DLL side-loading techniques. Based on code similarity and shared tactics, techniques, and procedures (TTPs), the team assessed this activity to be possibly linked to a Chinese-based group known as APT40, or Leviathan. The group’s campaign appears to target Malaysian government officials with a lure regarding the 2020 Malaysian political crisis.”
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: intrusion-analysis
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- target-information=“Malaysia”
- producer Elastic
- threat-actor APT40
- sector=“Government, Administration”
- mitre-attack-pattern=[‘T1055’, ‘T1059’, ‘T1060’, ‘T1073’, ‘T1107’, ‘T1129’, ‘T1140’, ‘T1193’, ‘T1221’]
MISP event uuid: 6f707024-b346-4f24-a6aa-f95bb9d695cc
Indicator of Compromise (IoCs)
type,value,comment
sha256, 06a4246be400ad0347e71b3c4ecd607edda59fbf873791d3772ce001f580c1d3, 'No sample in VT\r\nLast check:23/02/2025'
hostname, armybar.hopto.org, ''
hostname, tomema.myddns.me, ''
url, https://armybar.hopto.org/LogiMail.dll, ''
url, https://armybar.hopto.org/LogiMailApp.exe, ''
url, https://armybar.hopto.org/Encrypted, ''
url, http://tomema.myddns.me/postlogin, ''
url, http://tomema.myddns.me/list_direction, ''
url, http://tomema.myddns.me/post_document, ''
ip-dst, 104.248.148.156, ''
ip-dst, 139.59.31.188, ''
Full IOCs available in Rectifyq's MISP```