2023-08-08 RedHotel A Prolific, Chinese State-Sponsored Group Operating at a Global Scale

📃Title: RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale
📅Date: 2023-08-08
🔗References:

• https://www.recordedfuture.com/research/redhotel-a-prolific-chinese-state-sponsored-group-operating-at-a-global-scale
• https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer= Recorded-Future
• threat-actor= Earth-Lusca
• malpedia=“Brute Ratel C4”
• malpedia=“Cobalt Strike”
• malpedia=“FunnySwitch”
• malpedia=“Spyder”
• malpedia=“Winnti (Windows)”
• country=“china”
• malpedia=“PlugX”
• malpedia=“ShadowPad”
• malpedia=“reGeorg”
• mitre-attack-pattern=[‘T1553.002’, ‘T1574.001’, ‘T1140’, ‘T1583.001’, ‘T1041’, ‘T1190’, ‘T1090.002’, ‘T1036.005’, ‘T1027’, ‘T1547.001’, ‘T1053.005’, ‘T1584.004’, ‘T1566.001’, ‘T1583.003’, ‘T1595.002’, ‘T1071.001’, ‘T1505.003’]

MISP event uuid: cdc792d9-86a4-4f7c-8ac2-e0ab2a37d5cd

Indicator of Compromise (IoCs)

type,value,comment
md5, ace5920f0d22842eda2a20076870d463, 'Cobalt Strike Loaders'
md5, 92df8c81d6a4295dc6a4300f081f88c9, 'Cobalt Strike Loaders'
md5, 058434852bb8e877069d27f452442167, 'Cobalt Strike Loaders'
md5, be2b0c387642fe7e8475f5f5f0c6b90a, 'Cobalt Strike Loaders'
md5, dee0afd9ea819cc1991c5c1aa921ed46, 'Cobalt Strike Loaders'
md5, dba8d19b089a28e66fc63879eca6b9fa, 'Brute Ratel Loaders'
md5, 96592a5efefcdf7d3b2ea50013ebbbe3, 'Brute Ratel Loaders'
md5, b8e19521173e895cfc89a7d659eeed96, 'Brute Ratel Loaders'
md5, 40e70122ed4664b120df3a34a4d83a0e, 'Winnti'
md5, aedd22b7dbca057f7a2be3cd977ac9d8, 'Winnti'
md5, 5159a5ac6429af8828f3d6988847b1d8, 'Winnti'
md5, 7285328db539c10c4e6e0bc4d02871ac, 'Winnti'
md5, f060c97e3b818cc0676356ee53660343, 'Spyder'
md5, 994c90735df4be2eeb526c8fa5631a8a, 'Spyder'
md5, 9555ecef1396db7d27a819712588e098, 'Spyder'
md5, 0590768d6120036f1d0c7a0e434e0b07, 'Spyder'
md5, 08b38b91b9ff6378028a1c7a97105890, 'Spyder'
md5, df9c5a67a15ea55df84517acbf26da4d, 'FunnySwitch'
md5, 129fcd2f76fa8c7e142abda7f39d9941, 'FunnySwitch'
md5, f22a181e78aec56fed11ab5d6197f126, 'FunnySwitch'
domain, dga.asia, ''
hostname, kb.dga.asia, ''
hostname, video.dga.asia, ''
hostname, sc.dga.asia, ''
hostname, dgti.dga.asia, ''
domain, nhqdc.com, ''
hostname, msdn.microsoft.nhqdc.com, ''
domain, icoreemail.com, ''
hostname, demo.icoreemail.com, ''
domain, officesuport.com, ''
hostname, kiwi.officesuport.com, ''
hostname, cdn.officesuport.com, ''
hostname, test.officesuport.com, ''
hostname, mail.officesuport.com, ''
hostname, ntpc.officesuport.com, ''
hostname, main.officesuport.com, ''
hostname, excel.officesuport.com, ''
hostname, remote.officesuport.com, ''
domain, ismtrsn.club, ''
hostname, lrm.ismtrsn.club, ''
hostname, tgoomh.ismtrsn.club, ''
hostname, news.ismtrsn.club, ''
hostname, icarln.ismtrsn.club, ''
domain, liveonlin.com, ''
hostname, npgsql.liveonlin.com, ''
hostname, public.liveonlin.com, ''
hostname, tech.liveonlin.com, ''
hostname, main.liveonlin.com, ''
hostname, cctv.liveonlin.com, ''
domain, alexa-api.com, ''
hostname, www.alexa-api.com, ''
domain, ngndc.com, ''
hostname, air.ngndc.com, ''
hostname, spa.ngndc.com, ''
hostname, mkn.ngndc.com, ''
domain, ekaldhfl.club, ''
hostname, ts.ekaldhfl.club, ''
hostname, ist.ekaldhfl.club, ''
hostname, downloads.ekaldhfl.club, ''
hostname, pps.ekaldhfl.club, ''
hostname, plt.ekaldhfl.club, ''
hostname, tlt.ekaldhfl.club, ''
hostname, thy.ekaldhfl.club, ''
hostname, us.ekaldhfl.club, ''
domain, asia-cdn.asia, ''
hostname, report.asia-cdn.asia, ''
domain, freehighways.com, ''
hostname, map.freehighways.com, ''
domain, iredemail.com, ''
hostname, index.iredemail.com, ''
hostname, demo.iredemail.com, ''
hostname, open.iredemail.com, ''
hostname, api.iredemail.com, ''
hostname, full.iredemail.com, ''
hostname, bbs.iredemail.com, ''
domain, 0nenote.com, ''
hostname, keep.0nenote.com, ''
hostname, api.asia-cdn.asia, ''
hostname, speedtest.asia-cdn.asia, ''
domain, cyberoams.com, ''
hostname, checkip.cyberoams.com, ''
hostname, usa.ekaldhfl.club, ''
domain, mtlklabs.co, ''
domain, conhostsadas.website, ''
domain, itcom666.live, ''
hostname, qbxlwr4nkq.itcom666.live, ''
hostname, 8kmobvy5o.itcom666.live, ''
domain, itcom888.live, ''
hostname, bwlgrafana.itcom888.live, ''
hostname, itsm-uat-app.itcom888.live, ''
hostname, dkxvb0mf.itcom888.live, ''
hostname, nvw3tdetwx.itcom888.live, ''
hostname, 0j10u9wi.itcom888.live, ''
hostname, yt-sslvpn.itcom888.live, ''
hostname, vappvcsa.itcom888.live, ''
hostname, 94ceaugp.itcom888.live, ''
domain, sibersystems.xyz, ''
hostname, fyalluw0.sibersystems.xyz, ''
hostname, sijqlfnbes.sibersystems.xyz, ''
hostname, jmz8xhxen3.sibersystems.xyz, ''
hostname, 2h3cvvhgtf.sibersystems.xyz, ''
hostname, 3tgdtyfpt9.sibersystems.xyz, ''
hostname, n71qtqemam.sibersystems.xyz, ''
hostname, 711zm77cwq.sibersystems.xyz, ''
hostname, r77wu4s847.sibersystems.xyz, ''
domain, caamanitoba.us, ''
hostname, jw7uvtodx4.caamanitoba.us, ''
hostname, xdryqrbe.caamanitoba.us, ''
hostname, b1k10pk9.caamanitoba.us, ''
hostname, 6hi6m62bzp.caamanitoba.us, ''
domain, livehost.live, ''
hostname, sci.livehost.live, ''
ip-dst, 1.13.82.101, 'C2'
ip-dst, 5.188.33.188, 'C2'
ip-dst, 5.188.33.254, 'C2'
ip-dst, 5.188.34.164, 'C2'
ip-dst, 5.188.34.173, 'C2'
ip-dst, 38.54.16.131, 'C2'
ip-dst, 38.54.16.179, 'C2'
ip-dst, 38.60.199.87, 'C2'
ip-dst, 38.60.199.208, 'C2'
ip-dst, 45.76.186.26, 'C2'
ip-dst, 45.77.153.197, 'C2'
ip-dst, 61.238.103.165, 'C2'
ip-dst, 64.227.132.226, 'C2'
ip-dst, 92.38.169.222, 'C2'
ip-dst, 92.38.176.128, 'C2'
ip-dst, 92.38.178.40, 'C2'
ip-dst, 92.38.178.60, 'C2'
ip-dst, 92.223.90.133, 'C2'
ip-dst, 95.85.91.50, 'C2'
ip-dst, 103.140.239.41, 'C2'
ip-dst, 103.157.142.95, 'C2'
ip-dst, 108.61.158.179, 'C2'
ip-dst, 139.180.193.182, 'C2'

Full IOCs available in Rectifyq’s MISP