Rectifyq📃Title: APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION
📅Date: 2015-04-01
🔗References:
- http://web.archive.org/web/20220313234300/https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf
- https://www.keithrozario.com/2015/04/fireeye-group-spied-on-malaysia-for-10-years.html
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: TA-profile
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- threat-actor APT30
- target-information=“India”
- target-information=“Malaysia”
- target-information=“Saudi Arabia”
- target-information=“South Korea”
- target-information=“Thailand”
- target-information=“United States”
- target-information=“Vietnam”
- malpedia=“FLASHFLOOD”
- malpedia=“NETEAGLE”
- malpedia=“SHIPSHAPE”
- malpedia=“SPACESHIP”
- malpedia=“backspace”
- country=“china”
- malpedia=“GEMCUTTER”
- malpedia=“MILKMAID”
- malpedia=“ORANGEADE”
- producer Mandiant
- mitre-attack-pattern=[]
MISP event uuid: 77d062bd-a5a0-479b-adf8-f777f635598d
Indicator of Compromise (IoCs)
type,value,comment
hostname, www.km153.com, 'BACKSPACE controller version check and self-update'
domain, aseanm.com, 'BACKSPACE C2'
hostname, www.creammemory.com, 'NETEAGLE C2'
hostname, www.iapfreecenter.com, 'Primary BACKSPACE C2 domain'
hostname, www.appsecnic.com, 'Backup BACKSPACE C2 domain; run/hide configuration'
hostname, www.newpresses.com, 'BACKSPACE Run/hide configuration'
url, www.iapfreecenter.com/Lnk1z/hostlist.txt, 'BACKSPACE attempts to contact its C2 servers for validation and to obtain configuration data'
url, www.newpresses.com/http/nur.txt, ''
url, www.km153.com/http/nur.txt, ''
url, www.appsecnic.com/http/nur.txt, ''
url, www.iapfreecenter.com/Lnk1z, ''
url, www.newpresses.com/some/edih.txt, ''
url, www.km153.com/some/edih.txt, ''
url, www.appsecnic.com/some/edih.txt, ''
hostname, www.bigfixtools.com, 'primary first-stage C2 domain'
hostname, www.km-nyc.com, 'Used to obtain “run/hide” configuration data'
hostname, www.bluesixnine.com, 'Used to obtain “run/hide” configuration data'
hostname, www.autoapec.com, 'NETEAGLE first attempts to retrieve the file allupdate.xml'
url, http://www.autoapec.com/yzstmfa/update.xml, 'NETEAGLE'
url, http://www.autoapec.com/yzstmfa/updateapp.xml, 'NETEAGLE'
url, http://www.autoapec.com/yzstmfa/pic1.bmp, 'NETEAGLE'
url, http://www.creammemory.com/update1/pic2.bmp, 'NETEAGLE'
Full IOCs available in Rectifyq's MISP```