2021-12-08 Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia

📃Title: Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia
📅Date: 2021-12-08
🔗References:

• https://www.recordedfuture.com/blog/chinese-state-sponsored-cyber-espionage-expansion-power-influence-southeast-asia

Description

Recorded Future’s Insikt Group tracks Chinese state-sponsored cyber espionage operations targeting government and private sector organizations across Southeast Asia. In this report, they highlight multiple examples of activity reported to Recorded Future clients throughout 2021.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: TA-profile
• target: targeted
• MY-relevancy: relevant
• topic: geopolitical

🔖MISP Galaxies:

• target-information=“Cambodia”
• target-information=“Malaysia”
• target-information=“Philippines”
• target-information=“Vietnam”
• target-information=“Thailand”
• target-information=“Indonesia”
• producer Recorded-Future
• sector=“Government, Administration”
• sector=“Military”
• sector=“Police - Law enforcement”
• malpedia=“FunnyDream”
• malpedia=“Cobalt Strike”
• malpedia=“ShadowPad”
• malpedia=“Trochilus RAT”
• malpedia=“8.t Dropper”
• malpedia=“NewCore RAT”
• target-information=“Laos”
• f3b46834-6ce9-44ef-852d-d7ac61a12920=“058ba3b3-6530-41b4-ac3f-1b3ca0b97ec4”
• f3b46834-6ce9-44ef-852d-d7ac61a12920=“00afde8d-6de3-46b1-9f35-e98fc8c1ee07”
• f3b46834-6ce9-44ef-852d-d7ac61a12920=“e6520f6c-3713-489d-90c2-f06bb947988f”
• f3b46834-6ce9-44ef-852d-d7ac61a12920=“b63153a8-f2e8-4543-a0f7-0a3e74515812”
• f3b46834-6ce9-44ef-852d-d7ac61a12920=“eb1a21c9-5c30-4c70-a120-5452151b4eac”
• malpedia=“Chinoxy”
• mitre-attack-pattern=[]

MISP event uuid: fbf292a8-ce2d-4811-882f-34fb7dd1c26b

Indicator of Compromise (IoCs)

type,value,comment
hostname, www.cankerscarcass.com, 'TAG-16 C2 Domain'
hostname, www.appexistence.com, 'TAG-16 C2 Domain'
hostname, www.rninhsss.com, 'TAG-16 C2 Domain'
hostname, www.aexhausts.com, 'TAG-16 C2 Domain'
hostname, ttxs.aexhausts.com, 'TAG-16 C2 Domain'
hostname, cdn.aexhausts.com, 'TAG-16 C2 Domain'
hostname, www.bbranchs.com, 'TAG-16 C2 Domain'
hostname, www.carelessnessing.com, 'TAG-16 C2 Domain'
hostname, www.dexercisep.com, 'TAG-16 C2 Domain'
hostname, www.weekendorg.com, 'TAG-16 C2 Domain'
hostname, www.manaloguek.com, 'TAG-16 C2 Domain'
hostname, www.guardggg.com, 'TAG-16 C2 Domain'
ip-dst, 150.109.14.19, 'Recently Active TAG-16 C2 IP'
ip-dst, 103.198.241.11, 'Recently Active TAG-16 C2 IP'
ip-dst, 103.198.241.55, 'Recently Active TAG-16 C2 IP'
ip-dst, 103.198.241.58, 'Recently Active TAG-16 C2 IP'
ip-dst, 121.78.139.168, 'Recently Active TAG-16 C2 IP'
ip-dst, 121.78.139.169, 'Recently Active TAG-16 C2 IP'
ip-dst, 154.86.157.12, 'Recently Active TAG-16 C2 IP'
ip-dst, 154.86.157.15, 'Recently Active TAG-16 C2 IP'
ip-dst, 154.86.157.16, 'Recently Active TAG-16 C2 IP'
ip-dst, 154.86.157.17, 'Recently Active TAG-16 C2 IP'
ip-dst, 45.197.133.23, 'Recently Active TAG-16 C2 IP'
ip-dst, 45.197.133.25, 'Recently Active TAG-16 C2 IP'
ip-dst, 45.197.133.44, 'Recently Active TAG-16 C2 IP'
domain, laodailylive.com, 'ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure'
domain, laodiplomat.com, 'ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure'
hostname, api.dreamsbottle.com, 'ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure'
hostname, news.networkslaoupdate.com, 'ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure'
domain, laodata.network, 'ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure'
domain, laotranslations.com, 'ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure'
ip-dst, 193.56.255.225, 'ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure'
ip-dst, 139.99.22.94, 'ShadowPad, Cobalt Strike, and Trochilus C2 Infrastructure'
domain, nbabbpdbqljf.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
hostname, www.nbabbpdbqljf.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
domain, iherlvufjknw.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
hostname, ja.iherlvufjknw.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
hostname, www.iherlvufjknw.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
domain, musicandfile.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
hostname, www.musicandfile.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
hostname, cm.musicandfile.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
domain, duutsxlydw.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
hostname, news.duutsxlydw.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
hostname, office.duutsxlydw.com, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
ip-dst, 43.129.41.169, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
ip-dst, 43.129.36.175, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'
ip-dst, 152.32.153.189, 'TAG-34 ShadowPad C2 IP Addresses & Associated Domain'

Full IOCs available in Rectifyq's MISP```