Rectifyq📃Title: APT40 targeting Malaysia government officials
📅Date: 2020-02-05
🔗References:
- https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9
- https://www.mycert.org.my/portal/advisory?id=MA-770.022020
- https://www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/
- https://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5&id=e605c78d-4f22-4ca9-9de4-70681a069ea9
Description
MyCERT observed an increase in number of artifacts and victims involving a campaign against Malaysian Government officials by a specific threat group. The group motives is believe to be data theft and exfiltration. Reconnaissance: The group has leveraged previously compromised email addresses or impersonation of emails to send spear-phishing emails Delivery: Send spear-phishing emails with malicious attachments although Google Drive has been observed. This includes pretending to be a journalist, an individual from a trade publication, or someone from a relevant military organization or non-governmental organization (NGO). Weaponization: Microsoft document with enable macro that extract malicious exe to download loader.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: intrusion-analysis
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- target-information=“Malaysia”
- threat-actor APT40
- sector=“Government, Administration”
- producer Medium
- mitre-attack-pattern=[‘T1193’, ‘T1203’, ‘T1073’]
MISP event uuid: 954a57ee-8998-438d-af4e-0274f6fa5e43
Indicator of Compromise (IoCs)
type,value,comment
url, http://dynamics.ddnsking.com/Word.dotm, ''
hostname, vvavesltd.servebeer.com, ''
hostname, thestar.serveblog.net, ''
hostname, byfleur.myftp.org, ''
url, http://152.89.161.5/mpsvc.txt, ''
url, http://139.162.44.81/main.dotm, ''
url, http://207.148.79.152/main.dotm, ''
url, http://167.99.72.82/main.dotm, ''
url, http://159.65.197.248/WinWord.dotm, ''
url, http://152.89.161.5/msmpeng.txt, ''
url, http://195.12.50.168/D2_de2o@sp0/, ''
hostname, accountsx.bounceme.net, ''
hostname, dynamics.ddnsking.com, ''
hostname, capitana.onthewifi.com, ''
hostname, kulkarni.bounceme.net, ''
md5, 4114857f9bc888122b53ad0b56d03496, 'No sample in VT\r\nLast check:23/02/2025'
md5, 3c43eb86d40ae78037c29bc94b3819b7, 'No sample in VT\r\nLast check:23/02/2025'
md5, 6e9f0c3f64cd134ad9dfa173e4474399, 'No sample in VT\r\nLast check:23/02/2025'
domain, invoke.ml, ''
ip-dst, 108.61.223.27, ''
ip-dst, 139.162.23.6, ''
ip-dst, 139.162.44.81, ''
ip-dst, 139.59.66.229, ''
ip-dst, 149.28.151.144, ''
ip-dst, 152.89.161.5, ''
ip-dst, 157.230.34.7, ''
ip-dst, 159.65.197.248, ''
ip-dst, 167.99.72.82, ''
ip-dst, 195.12.50.168, ''
ip-dst, 207.148.79.152, ''
ip-dst, 45.32.123.142, ''
ip-dst, 45.77.241.33, ''
Full IOCs available in Rectifyq's MISP```