Uncovering the Chinese Proxy Service Used in APT Campaigns
Contents
The Leak That Sparked the Investigation
Late last week, a data dump allegedly from a workstation of a threat actor who has been targeting organizations in South Korea and Taiwan was dropped on the website DDoSecrets.com, a leak site sometimes described as a successor to WikiLeaks, known for publishing sensitive and sometimes hacked data.
The author of this leak attributes this threat activity to the North Korean APT actor known as Kimsuky. Whether or not that is an accurate attribution is outside the scope of this blog; we’ll leave that up to the threat intelligence shops to validate or refute.
Spur specializes in identifying and labeling anonymizing infrastructure, so when a customer tipped us off to the IP address this threat actor was using, we set off in identifying the actual VPN or Proxy service used. This is a good case study in IP attribution in APT campaigns.
Pivoting From IP Address to Proxy …
Late last week, a data dump allegedly from a workstation of a threat actor who has been targeting organizations in South Korea and Taiwan was dropped on the website DDoSecrets.com, a leak site sometimes described as a successor to WikiLeaks, known for publishing sensitive and sometimes hacked data.
The author of this leak attributes this threat activity to the North Korean APT actor known as Kimsuky. Whether or not that is an accurate attribution is outside the scope of this blog; we’ll leave that up to the threat intelligence shops to validate or refute.
Spur specializes in identifying and labeling anonymizing infrastructure, so when a customer tipped us off to the IP address this threat actor was using, we set off in identifying the actual VPN or Proxy service used. This is a good case study in IP attribution in APT campaigns.
Pivoting From IP Address to Proxy …
IoC
http://ganode.org
http://cTAX2K93hsoCm8MXX6eY.ganode.org
http://156.59.13.153
http://appletls.com
http://mf429xciejryees2cusm.appletls.com
156.59.13.153
a26c0e8b1491eda727fd88b629ce886666387ef5
http://cTAX2K93hsoCm8MXX6eY.ganode.org
http://156.59.13.153
http://appletls.com
http://mf429xciejryees2cusm.appletls.com
156.59.13.153
a26c0e8b1491eda727fd88b629ce886666387ef5