Rewterz Threat Alert – Double Dragon APT41, a Dual Espionage and Cyber Crime Operation

Thursday, August 8, 2019

Severity

High

Analysis Summary

APT41 espionage operations against the healthcare, high-tech, and telecommunications sectors include establishing and maintaining strategic access, and through mid-2015, the theft of intellectual property.

APT41 is unique among tracked China-based actors in that it leverages non-public malware typically reserved for espionage operations in what appears to be activity that falls outside the scope of state-sponsored missions. Based on early observed activity, consistent behavior, and APT41’s unusual focus on the video game industry, we believe the group’s cyber crime activities are most likely motivated by personal financial gain or hobbyist interests.

image-1565269808.png

Impact

Financial loss

Indicators of Compromise

URLs

  • agegamepay[.]com
  • ageofwuxia[.]com
  • ageofwuxia[.]info
  • ageofwuxia[.]net
  • ageofwuxia[.]org
  • bugcheck.xigncodeservice[.]com
  • byeserver[.]com
  • dnsgogle[.]com
  • gamewushu[.]com
  • gxxservice[.]com
  • ibmupdate[.]com
  • infestexe[.]com
  • kasparsky[.]net
  • linux-update[.]net
  • macfee[.]ga
  • micros0ff[.]com
  • micros0tf[.]com
  • notped[.]com
  • operatingbox[.]com
  • paniesx[.]com
  • serverbye[.]com
  • sexyjapan.ddns[.]info
  • symanteclabs[.]com
  • techniciantext[.]com
  • win7update[.]net
  • xigncodeservice[.]com
  • akbklxp@126[.]com
  • akbklxp@163[.]com
  • hackershby@126[.]com
  • hrsimon59@gmail[.]com
  • injuriesa@126[.]com
  • injuriesa@163[.]com
  • injuriesa@gmail[.]com
  • injuriesa@hotmail[.]com
  • injuriesa@qq[.]com
  • kbklxp@126[.]com
  • petervc1983@gmail[.]com
  • ravinder10@126[.]com
  • ravinder10@hotmail[.]com
  • ravinder10@sohu[.]com
  • wolf_zhi@yahoo[.]com


Malware Hash (MD5/SHA1/SH256)

  • 04fb0ccf3ef309b1cd587f609ab0e81e
  • 0b2e07205245697a749e422238f9f785
  • 272537bbd2a8e2a2c3938dc31f0d2461
  • dd792f9185860e1464b4346254b2101b
  • fcfab508663d9ce519b51f767e902806
  • 5b26f5c7c367d5e976aaba320965cc7f
  • f8c89ccd8937f2b760e6706738210744
  • 46a557fbdce734a6794b228df0195474
  • 77c60e5d2d99c3f63f2aea1773ed4653
  • 849ab91e93116ae420d2fe2136d24a87
  • 36711896cfeb67f599305b590f195aec
  • 7d51ea0230d4692eeedc2d5a4cd66d2d
  • a0a96138b57ee24eed31b652ddf60d4e
  • ba08b593250c3ca5c13f56e2ca97d85e
  • 223e4cc4cf5ce049f300671697a17a01
  • 37e100dd8b2ad8b301b130c2bca3f1ea
  • 557ff68798c71652db8a85596a4bab72
  • 830a09ff05eac9a5f42897ba5176a36a
  • b0877494d36fab1f9f4219c3defbfb19
  • c8403fabda4d036a55d0353520e765c9
  • ff8d92dfbcda572ef97c142017eec658
  • ffd0f34739c1568797891b9961111464
  • 72584d6b7dd10c82d9118567b548b2b1
  • 97363d50a279492fda14cbab53429e75
  • a6c7db170bc7a4ee2cdb192247b59cd6
  • 5e87b09f9a3f1b728c9797560a38764b
  • 8c6cceae2eea92deb6f7632f949293f0

Remediation

  • Block all threat indicators at your respective controls.
  • Always be suspicious about emails sent by unknown senders.
  • Never click on the link/ attachments sent by unknown senders.

Data Sheets

Corporate Brochure


Our Story


Services


Solutions


Managed Security


Upcoming Rewterz Trainings/Events

Rewterz News

  • 6, December 2019 Rewterz Threat Advisory – CVE-2019-14899 – New Linux Vulnerability Inferring and hijacking VPN-tunneled TCP connections
  • 6, December 2019 Rewterz Threat Advisory – CVE-2019-18232 – ICS: Thales DIS SafeNet Sentinel LDK License Manager Runtime Privilege Escalation Vulnerability
  • 5, December 2019 Rewterz Threat Alert – “ZeroCleare” Targets Energy Sector in the Middle East
  • 5, December 2019 Rewterz Threat Alert – CStealer Trojan Targeting Chrome Passwords

Copyright © Rewterz. All rights reserved.