Pages

Friday 12 August 2011

Chinese Threat Actor Identified

Follow up on Joe Stewart Analysis

http://www.secureworks.com/research/threats/htran/

One of the hostnames mentioned in Secureworks list is india-videoer.com


(Associated Hostnames)

itiupdated.dyndns.info

bbs.india-videoer.com
news.india-videoer.com
www.india-videoer.com

(Hidden Destination IP/Port)

123.120.102.251:443


http://www.5maila.com/ (Chinese Geo-IP)

The IP address of your search for 123.120.102.251 is: Beijing Unicom ADSL


Domain india-videoer.com

Subdomains

http://www.robtex.com/dns/india-videoer.com.html#shared

bbs.india-videoer.com
news.india-videoer.com
web.india-videoer.com

Domain whois


india videoer king@hotmail.com +86.4712329309
india videoer
dele 1002 street
dele,dele,CN 695014

Domain Name:india-videoer.com
Record last updated at 2011-03-21 02:58:56
Record created on 2011/3/21
Record expired on 2012/3/21

Domain servers in listed order:

ns3.dns-diy.com
ns4.dns-diy.com


DNS-DIY.com is a Chinese DNS provider

Based on Phone number and email, threat actor also owns three other domains involved in malware

asiatime.us
asia-online.us
indmin.net
Domain asiatime.us

Malware reported on webrow.asiatime.us dated 5th October 2008

http://www.threatexpert.com/report.aspx?uid=849e2016-efec-4d56-a33d-57102b3b7f08

Asiatime.us whois

Technical Contact Name: Asia Time Info
Technical Contact Organization: AII
Technical Contact Address1: 99, Brahmaputra, B.D. Marg, New Delhi
Technical Contact City: new delh
Technical Contact State/Province: new delh
Technical Contact Postal Code: 695014
Technical Contact Country: Afghanistan
Technical Contact Country Code: AF
Technical Contact Phone Number: +86.4712329309
Technical Contact Facsimile Number: +86.4712329309
Technical Contact Email: king_public@hotmail.com
Name Server: NS3.DNS-DIY.COM
Name Server: NS4.DNS-DIY.COM

Created by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Last Updated by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Domain Registration Date: Tue Nov 06 01:28:01 GMT 2007
Domain Expiration Date: Sat Nov 05 23:59:59 GMT 2011
Domain Last Updated Date: Tue Oct 12 00:34:11 GMT 2010

Domain asia-online.us

http://www.robtex.com/dns/asia-online.us.html#shared

subdomains

down1.asia-online.us
ibm.asia-online.us
news.asia-online.us
sports.asia-online.us
style.asia-online.us

Malware reported on ibm.asia-online.us dated 30th March 2011

http://www.cyberesi.com/2011/03/30/india-united-states-naval-cooperation-doc-analysis/

whois

Domain Name: ASIA-ONLINE.US
Domain ID: D30951343-US
Sponsoring Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Sponsoring Registrar IANA ID: 82
Registrar URL (registration services): nswhois.onlinenic.com
Domain Status: clientTransferProhibited
Registrant ID: OLNI_2653545_0_0
Registrant Name: bkpathak
Registrant Organization: asia online
Registrant Address1: 120511 street
Registrant City: del
Registrant State/Province: New Del
Registrant Postal Code: 695014
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +86.4712329309
Registrant Facsimile Number: +86.4712329309
Registrant Email: king_public@hotmail.com
Registrant Application Purpose: P2
Registrant Nexus Category: C31/AF
Name Server: NS3.DNS-DIY.COM
Name Server: NS4.DNS-DIY.COM

Created by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Last Updated by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Domain Registration Date: Mon Nov 22 12:25:19 GMT 2010
Domain Expiration Date: Mon Nov 21 23:59:59 GMT 2011
Domain Last Updated Date: Mon Nov 22 18:05:32 GMT 2010


Domain indmin.net

Subdomains

http://www.robtex.com/dns/indmin.net.html#shared

economics.indmin.net
income.indmin.net
outcome.indmin.net
thrifty.indmin.net
time.indmin.net
www.indmin.net

Malware reported on thrifty.indmin.net dated 29th March 2011

http://www.threatexpert.com/report.aspx?md5=f5437d13428440412cbf5522adb25f8f


whois

Domain Name:indmin.net
Record last updated at 2010-10-11 19:34:52
Record created on 2008/11/4
Record expired on 2011/11/4

Domain servers in listed order:

ns3.dns-diy.com ns4.dns-diy.com

Administrator:
Name-- delhi
EMail-: (king_public@hotmail.com)
tel --: +86.9111602742
org: indmin company
India New Delhi Panchkuin Marg 5-110
new delhi,other,IN 110029



Threat actor's email "king_public@hotmail.com" is linked to Kaixin001.com (Chinese Social Network ) Profile.

http://www.kaixin001.com/home/?uid=23531652

Wang Liang Chen  ( 王亮晨 )

Gender: Male
Hometown:
Current residence: Beijing



There could be many actors and Wang Liang Chen is one of them operating from Beijing.

Update -

@joestewart71 Joe Stewart

Nice post on APT actor attribution - not Shady RAT though, it's Wykcores trojan (a variant _was_ seen in RSA breach)



Chinese Threat Actor Part 2

No comments:

Post a Comment