http://www.secureworks.com/research/threats/htran/
One of the hostnames mentioned in Secureworks list is india-videoer.com
(Associated Hostnames)
itiupdated.dyndns.info
bbs.india-videoer.com
news.india-videoer.com
www.india-videoer.com
(Hidden Destination IP/Port)
123.120.102.251:443
http://www.5maila.com/ (Chinese Geo-IP)
The IP address of your search for 123.120.102.251 is: Beijing Unicom ADSL
Domain india-videoer.com
Subdomains
http://www.robtex.com/dns/india-videoer.com.html#shared
bbs.india-videoer.com
news.india-videoer.com
web.india-videoer.com
Domain whois
| india videoer king@hotmail.com +86.4712329309 |
| india videoer |
| dele 1002 street |
| dele,dele,CN 695014 |
| Domain Name:india-videoer.com |
| Record last updated at 2011-03-21 02:58:56 |
| Record created on 2011/3/21 |
| Record expired on 2012/3/21 |
| Domain servers in listed order: |
| ns3.dns-diy.com |
| ns4.dns-diy.com |
DNS-DIY.com is a Chinese DNS provider
Based on Phone number and email, threat actor also owns three other domains involved in malware
asiatime.us
asia-online.us
| indmin.net |
Malware reported on webrow.asiatime.us dated 5th October 2008
http://www.threatexpert.com/report.aspx?uid=849e2016-efec-4d56-a33d-57102b3b7f08
Asiatime.us whois
Technical Contact Name: Asia Time Info
Technical Contact Organization: AII
Technical Contact Address1: 99, Brahmaputra, B.D. Marg, New Delhi
Technical Contact City: new delh
Technical Contact State/Province: new delh
Technical Contact Postal Code: 695014
Technical Contact Country: Afghanistan
Technical Contact Country Code: AF
Technical Contact Phone Number: +86.4712329309
Technical Contact Facsimile Number: +86.4712329309
Technical Contact Email: king_public@hotmail.com
Name Server: NS3.DNS-DIY.COM
Name Server: NS4.DNS-DIY.COM
Created by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Last Updated by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Domain Registration Date: Tue Nov 06 01:28:01 GMT 2007
Domain Expiration Date: Sat Nov 05 23:59:59 GMT 2011
Domain Last Updated Date: Tue Oct 12 00:34:11 GMT 2010
Domain asia-online.us
http://www.robtex.com/dns/asia-online.us.html#shared
subdomains
down1.asia-online.us
ibm.asia-online.us
news.asia-online.us
sports.asia-online.us
style.asia-online.us
Malware reported on ibm.asia-online.us dated 30th March 2011
http://www.cyberesi.com/2011/03/30/india-united-states-naval-cooperation-doc-analysis/
whois
Domain Name: ASIA-ONLINE.US
Domain ID: D30951343-US
Sponsoring Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Sponsoring Registrar IANA ID: 82
Registrar URL (registration services): nswhois.onlinenic.com
Domain Status: clientTransferProhibited
Registrant ID: OLNI_2653545_0_0
Registrant Name: bkpathak
Registrant Organization: asia online
Registrant Address1: 120511 street
Registrant City: del
Registrant State/Province: New Del
Registrant Postal Code: 695014
Registrant Country: India
Registrant Country Code: IN
Registrant Phone Number: +86.4712329309
Registrant Facsimile Number: +86.4712329309
Registrant Email: king_public@hotmail.com
Registrant Application Purpose: P2
Registrant Nexus Category: C31/AF
Name Server: NS3.DNS-DIY.COM
Name Server: NS4.DNS-DIY.COM
Created by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Last Updated by Registrar: ONLINENIC, INC. D/B/A CHINA-CHANNEL.COM
Domain Registration Date: Mon Nov 22 12:25:19 GMT 2010
Domain Expiration Date: Mon Nov 21 23:59:59 GMT 2011
Domain Last Updated Date: Mon Nov 22 18:05:32 GMT 2010
Domain indmin.net
Subdomains
http://www.robtex.com/dns/indmin.net.html#shared
economics.indmin.net
income.indmin.net
outcome.indmin.net
thrifty.indmin.net
time.indmin.net
www.indmin.net
Malware reported on thrifty.indmin.net dated 29th March 2011
http://www.threatexpert.com/report.aspx?md5=f5437d13428440412cbf5522adb25f8f
whois
Domain Name:indmin.net
Record last updated at 2010-10-11 19:34:52
Record created on 2008/11/4
Record expired on 2011/11/4
Domain servers in listed order:
ns3.dns-diy.com ns4.dns-diy.com
Administrator:
Name-- delhi
EMail-: (king_public@hotmail.com)
tel --: +86.9111602742
org: indmin company
India New Delhi Panchkuin Marg 5-110
new delhi,other,IN 110029
Threat actor's email "king_public@hotmail.com" is linked to Kaixin001.com (Chinese Social Network ) Profile.
http://www.kaixin001.com/home/?uid=23531652
Wang Liang Chen ( 王亮晨 )
Gender: Male
Hometown:
Current residence: Beijing
There could be many actors and Wang Liang Chen is one of them operating from Beijing.
Update -
@joestewart71 Joe Stewart
Nice post on APT actor attribution - not Shady RAT though, it's Wykcores trojan (a variant _was_ seen in RSA breach)
Chinese Threat Actor Part 2
No comments:
Post a Comment