Rectifyq📃Title: APT40 targeting Malaysia government officials
📅Date: 2020-02-05
🔗References:
- https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9
- https://www.mycert.org.my/portal/advisory?id=MA-770.022020
- https://www.zdnet.com/article/malaysia-warns-of-chinese-hacking-campaign-targeting-government-projects/
- https://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5&id=e605c78d-4f22-4ca9-9de4-70681a069ea9
Description
MyCERT observed an increase in number of artifacts and victims involving a campaign against Malaysian Government officials by a specific threat group. The group motives is believe to be data theft and exfiltration. Reconnaissance: The group has leveraged previously compromised email addresses or impersonation of emails to send spear-phishing emails Delivery: Send spear-phishing emails with malicious attachments although Google Drive has been observed. This includes pretending to be a journalist, an individual from a trade publication, or someone from a relevant military organization or non-governmental organization (NGO). Weaponization: Microsoft document with enable macro that extract malicious exe to download loader.
🔖Rectifyq Taxonomies:
- relevancy: 🔴 Highly Relevant
- category: ⚔Threat
- sub-category: intrusion-analysis
- target: targeted
- MY-relevancy: relevant
🔖MISP Galaxies:
- target-information=“Malaysia”
- threat-actor= APT40
- sector=“Government, Administration”
- producer= Medium
- mitre-attack-pattern=[‘T1193’, ‘T1203’, ‘T1073’]
MISP event uuid: 954a57ee-8998-438d-af4e-0274f6fa5e43
Indicator of Compromise (IoCs)
type,value,comment
md5, 01b5276fdfda2043980cbce19117aaa0, ''
md5, 4c47ca6ecf04cfe312eb276022a0c381, ''
md5, a827d521181462a45a7077ae3c20c9b5, ''
md5, 6889c7905df000b874bfc2d782512877, ''
md5, 7233ad2ba31d98ff5dd47db1b5a9fe7c, ''
md5, 89a81ea2b9ee9dd65d0a82b094099b43, ''
md5, cf94796a07b6082b9e348eef934de97a, ''
md5, f744481a4c4a7c811ffc7dee3b58b1ff, ''
md5, ae342bf6b1bd0401a42aae374f961fc6, ''
md5, 5fe8dcdfe9e3c4e56e004b2eebf50ab3, ''
md5, 3cb38f7574e8ea97db53d3857830fcc4, ''
md5, 3ca84fe6cec9bf2e2abac5a8f1e0a8d2, ''
md5, 8a133a382499e08811dceadcbe07357e, ''
md5, fe1247780b31bbb9f54a65d3ba17058f, ''
md5, b427c7253451268ca97de38be04bf59a, ''
md5, 4c89d5d8016581060d9781433cfb0bb5, ''
md5, d81db8c4485f79b4b85226cab4f5b8f9, ''
md5, a559e60a8ab5ba8e585aea0589301175, ''
url, http://dynamics.ddnsking.com/Word.dotm, ''
hostname, vvavesltd.servebeer.com, ''
hostname, thestar.serveblog.net, ''
hostname, byfleur.myftp.org, ''
url, http://152.89.161.5/mpsvc.txt, ''
url, http://139.162.44.81/main.dotm, ''
url, http://207.148.79.152/main.dotm, ''
url, http://167.99.72.82/main.dotm, ''
url, http://159.65.197.248/WinWord.dotm, ''
url, http://152.89.161.5/msmpeng.txt, ''
url, http://195.12.50.168/D2_de2o@sp0/, ''
hostname, accountsx.bounceme.net, ''
hostname, dynamics.ddnsking.com, ''
hostname, capitana.onthewifi.com, ''
hostname, kulkarni.bounceme.net, ''
md5, 4114857f9bc888122b53ad0b56d03496, 'No sample in VT\r\nLast check:23/02/2025'
md5, 3c43eb86d40ae78037c29bc94b3819b7, 'No sample in VT\r\nLast check:23/02/2025'
md5, 6e9f0c3f64cd134ad9dfa173e4474399, 'No sample in VT\r\nLast check:23/02/2025'
domain, invoke.ml, ''
ip-dst, 108.61.223.27, ''
ip-dst, 139.162.23.6, ''
ip-dst, 139.162.44.81, ''
ip-dst, 139.59.66.229, ''
ip-dst, 149.28.151.144, ''
ip-dst, 152.89.161.5, ''
ip-dst, 157.230.34.7, ''
ip-dst, 159.65.197.248, ''
ip-dst, 167.99.72.82, ''
ip-dst, 195.12.50.168, ''
ip-dst, 207.148.79.152, ''
ip-dst, 45.32.123.142, ''
ip-dst, 45.77.241.33, ''
Full IOCs available in Rectifyq’s MISP