Skip to main content
Introducing Polarity Intel Edition: Streamlining Intel Distribution for SecOps
Polarity Intel Edition
Request a Demo

I Got 99 Problems But a Phish Ain’t One

Today Symantec reported a targeted attack that used the Mandiant APT1 report as bait for a spearphishing attack. Brandon Dixon at 9b+ followed up with the analysis of “Mandiant_APT2_Report.pdf” and identified the command and control infrastructure as itsec.eicp[.]net, reminding us that same infrastructure was also used to target OSX users in the 5 December Contagio posting.

ThreatConnect.com has been monitoring itsec.eicp[.]net rotating through two dynamic Beijing netranges consistently for several months, allowing us to conduct broader target development of this Chinese APT group. Most noteworthy, Cyber Squared tracks another APT group using the same two dynamic Beijing netranges.

This second APT threat group has been seen in other targeting campaigns as noted in an 18 September 2012 SecureWorks posting.  We have identified several of the registrants tied to this threat, most notably the qingwa20112011 [at] 163.com dating back to a May 2011 Contagio posting.

Malicious Registrants

  • qingwa20112011 [at] 163.com
  • dnsjacks [at] yahoo.com
  • usa876543210 [at] 126.com
  • zhaobiao80 [at] 126.com
  • gary9516 [at] gmail.com

Malicious Domains

The following 99 subdomains have been observed overlapping to dynamic Beijing source ranges associated with the malicious command and control infrastructure:

ip.iphonesyslog[.]com
isa.iphonesyslog[.]com
net.iphonesyslog[.]com
sky.iphonesyslog[.]com
www.iphonesyslog[.]com
asia.iphonesyslog[.]com
euro.iphonesyslog[.]com
info.iphonesyslog[.]com
land.iphonesyslog[.]com
mail.iphonesyslog[.]com
shop.iphonesyslog[.]com
admin.iphonesyslog[.]com
apple.iphonesyslog[.]com
aol.offlinewebpage[.]com
atm.offlinewebpage[.]com
bbs.offlinewebpage[.]com
bcc.offlinewebpage[.]com
cnn.offlinewebpage[.]com
dnn.offlinewebpage[.]com
msn.offlinewebpage[.]com
www.offlinewebpage[.]com
mail.offlinewebpage[.]com
news.offlinewebpage[.]com
egypt.offlinewebpage[.]com
gmail.offlinewebpage[.]com
linux.offlinewebpage[.]com
yahoo.offlinewebpage[.]com
google.offlinewebpage[.]com
artical.offlinewebpage[.]com
outlook.offlinewebpage[.]com
windows.offlinewebpage[.]com
app.iphone4ios[.]com
www.iphone4ios[.]com
apps.iphone4ios[.]com
bbs.pluginfacebook[.]com
www.pluginfacebook[.]com
help.pluginfacebook[.]com
update.pluginfacebook[.]com
g.msngroups[.]net
www.msngroups[.]net
share.msngroups[.]net
static.msngroups[.]net
it.macfeeonline[.]com
msn.macfeeonline[.]com
www.macfeeonline[.]com
mail.macfeeonline[.]com
news.macfeeonline[.]com
yahoo.macfeeonline[.]com
spaces.macfeeonline[.]com
update.macfeeonline[.]com
upload.macfeeonline[.]com
service.macfeeonline[.]com
security.macfeeonline[.]com
cnn.cnnonlie[.]com
dns.cnnonlie[.]com
msn.cnnonlie[.]com
www.cnnonlie[.]com
care.cnnonlie[.]com
news.cnnonlie[.]com
update.cnnonlie[.]com
www.live-facebook[.]com
club.live-facebook[.]com
help.live-facebook[.]com
live.live-facebook[.]com
mail.live-facebook[.]com
news.live-facebook[.]com
sffs.live-facebook[.]com
de-de.live-facebook[.]com
linux.live-facebook[.]com
windows.live-facebook[.]com
microsoft.live-facebook[.]com
yahoogroup.live-facebook[.]com
go.tradebureau[.]org
isa.tradebureau[.]org
net.tradebureau[.]org
asia.tradebureau[.]org
cetv.tradebureau[.]org
euro.tradebureau[.]org
mail.tradebureau[.]org
facebook.tradebureau[.]org
planning.tradebureau[.]org
statistics.tradebureau[.]org
bbs.live-msn[.]net
pic.live-msn[.]net
www.live-msn[.]net
bing.live-msn[.]net
club.live-msn[.]net
help.live-msn[.]net
mail.live-msn[.]net
news.live-msn[.]net
linux.live-msn[.]net
yahoo.live-msn[.]net
update.live-msn[.]net
microsoft.update.live-msn[.]net
webmail.live-msn[.]net
windows.live-msn[.]net
newstime.live-msn[.]net
microsoft.live-msn[.]net
yahoomail.live-msn[.]net

About the Author

ThreatConnect

By operationalizing threat and cyber risk intelligence, The ThreatConnect Platform changes the security operations battlefield, giving your team the advantage over the attackers. It enables you to maximize the efficacy and value of your threat intelligence and human knowledge, leveraging the native machine intelligence in the ThreatConnect Platform. Your team will maximize their impact, efficiency, and collaboration to become a proactive force in protecting the enterprise. Learn more at www.threatconnect.com.