Posted
Today Symantec reported a targeted attack that used the Mandiant APT1 report as bait for a spearphishing attack. Brandon Dixon at 9b+ followed up with the analysis of “Mandiant_APT2_Report.pdf” and identified the command and control infrastructure as itsec.eicp[.]net, reminding us that same infrastructure was also used to target OSX users in the 5 December Contagio posting.
ThreatConnect.com has been monitoring itsec.eicp[.]net rotating through two dynamic Beijing netranges consistently for several months, allowing us to conduct broader target development of this Chinese APT group. Most noteworthy, Cyber Squared tracks another APT group using the same two dynamic Beijing netranges.
This second APT threat group has been seen in other targeting campaigns as noted in an 18 September 2012 SecureWorks posting. We have identified several of the registrants tied to this threat, most notably the qingwa20112011 [at] 163.com dating back to a May 2011 Contagio posting.
Malicious Registrants
- qingwa20112011 [at] 163.com
- dnsjacks [at] yahoo.com
- usa876543210 [at] 126.com
- zhaobiao80 [at] 126.com
- gary9516 [at] gmail.com
Malicious Domains
The following 99 subdomains have been observed overlapping to dynamic Beijing source ranges associated with the malicious command and control infrastructure:
ip.iphonesyslog[.]com
isa.iphonesyslog[.]com
net.iphonesyslog[.]com
sky.iphonesyslog[.]com
www.iphonesyslog[.]com
asia.iphonesyslog[.]com
euro.iphonesyslog[.]com
info.iphonesyslog[.]com
land.iphonesyslog[.]com
mail.iphonesyslog[.]com
shop.iphonesyslog[.]com
admin.iphonesyslog[.]com
apple.iphonesyslog[.]com
aol.offlinewebpage[.]com
atm.offlinewebpage[.]com
bbs.offlinewebpage[.]com
bcc.offlinewebpage[.]com
cnn.offlinewebpage[.]com
dnn.offlinewebpage[.]com
msn.offlinewebpage[.]com
www.offlinewebpage[.]com
mail.offlinewebpage[.]com
news.offlinewebpage[.]com
egypt.offlinewebpage[.]com
gmail.offlinewebpage[.]com
linux.offlinewebpage[.]com
yahoo.offlinewebpage[.]com
google.offlinewebpage[.]com
artical.offlinewebpage[.]com
outlook.offlinewebpage[.]com
windows.offlinewebpage[.]com
app.iphone4ios[.]com
www.iphone4ios[.]com
apps.iphone4ios[.]com
bbs.pluginfacebook[.]com
www.pluginfacebook[.]com
help.pluginfacebook[.]com
update.pluginfacebook[.]com
g.msngroups[.]net
www.msngroups[.]net
share.msngroups[.]net
static.msngroups[.]net
it.macfeeonline[.]com
msn.macfeeonline[.]com
www.macfeeonline[.]com
mail.macfeeonline[.]com
news.macfeeonline[.]com
yahoo.macfeeonline[.]com
spaces.macfeeonline[.]com
update.macfeeonline[.]com
upload.macfeeonline[.]com
service.macfeeonline[.]com
security.macfeeonline[.]com
cnn.cnnonlie[.]com
dns.cnnonlie[.]com
msn.cnnonlie[.]com
www.cnnonlie[.]com
care.cnnonlie[.]com
news.cnnonlie[.]com
update.cnnonlie[.]com
www.live-facebook[.]com
club.live-facebook[.]com
help.live-facebook[.]com
live.live-facebook[.]com
mail.live-facebook[.]com
news.live-facebook[.]com
sffs.live-facebook[.]com
de-de.live-facebook[.]com
linux.live-facebook[.]com
windows.live-facebook[.]com
microsoft.live-facebook[.]com
yahoogroup.live-facebook[.]com
go.tradebureau[.]org
isa.tradebureau[.]org
net.tradebureau[.]org
asia.tradebureau[.]org
cetv.tradebureau[.]org
euro.tradebureau[.]org
mail.tradebureau[.]org
facebook.tradebureau[.]org
planning.tradebureau[.]org
statistics.tradebureau[.]org
bbs.live-msn[.]net
pic.live-msn[.]net
www.live-msn[.]net
bing.live-msn[.]net
club.live-msn[.]net
help.live-msn[.]net
mail.live-msn[.]net
news.live-msn[.]net
linux.live-msn[.]net
yahoo.live-msn[.]net
update.live-msn[.]net
microsoft.update.live-msn[.]net
webmail.live-msn[.]net
windows.live-msn[.]net
newstime.live-msn[.]net
microsoft.live-msn[.]net
yahoomail.live-msn[.]net