www.clearskysec.com Open in urlscan Pro
107.154.150.1  Public Scan

URL: https://www.clearskysec.com/winnti/
Submission: On October 18 via manual from JP — Scanned from JP

Form analysis 1 forms found in the DOM

GET https://www.clearskysec.com/

<form role="search" method="get" action="https://www.clearskysec.com/">
  <div class="input-group theme-form-group">
    <input type="text" name="s" id="s" class="form-control input-lg" value="" placeholder="Search">
    <span class="input-group-btn">
      <button type="submit" class="btn btn-primary btn-sm">
        <i class="fa fa-search fa-2x"></i>
      </button>
    </span>
  </div>
</form>

Text Content

Skip to content
Open navigation

ClearSky Cyber Security

Close navigation
 * Services
   * Threat Intelligence
   * Pay per report – APT Group research
   * Cyber strategy
   * Cyber architecture
   * Cyber Tabletop Exercise
 * Blog
 * Company
   * About
   * Team
   * Leadership
   * Careers
 * Partners
 * Contact us


BLOG


RECENT WINNTI INFRASTRUCTURE AND SAMPLES

Posted on July 18, 2017 by ClearSky Research Team

On July 17, 2017, we detected a malicious document in VirusTotal exploiting
CVE-2017-0199. By pivoting off of the infrastructure we learned that it is
related to Winnti, a Chinese threat actor that is mostly targeting the gaming
industry. Below we outline initial findings.

The malicious file, named curriculum vitae.rtf
(58c66b3ddbc0df9810119bb688ea8fb0) was uploaded from Turkey. Its content is
presented below (we redacted personally identifiable information):



When the document is opened, it downloads and runs a file from the following
URL:

http://54.245.195[.]101/test.rtf

Which contains a short VBS script:



The script downloads and runs an executable (a4b2a6883ba0451429df29506a1f6995)
from the following URL:

http://54.245.195[.]101/shell.exe

Which uses backup.aolonline[.]cc as command and control server.


INDICATORS OF COMPROMISE

Pivoting on IPs, code signing certificates, and domain registration details, we
found further parts of the infrastructure, some got back to 2015. Most of them
have been tagged as relating to “Casper aka LEAD” in a public PassiveTotal
project by Cylance (However, we could not find a public report). Most sample
were detected by Proofpoint as “ETPRO TROJAN Casper/LEAD DNS Lookup” (this
signature was published in May 03, 2017).

The Maltego graph below depicts the relationship among the indicators (click to
enlarge):



Domain googlesoftservice[.]net Domain igooglefiles[.]com Domain aolonline[.]cc
Domain facebooknavigation[.]com Domain googlecustomservice[.]com Domain
find2find[.]com Domain tiwwter[.]net Domain luckhairs[.]com Domain
googlerenewals[.]net Domain pornsee[.]tv EmailAddress YYTXCONNECTICUT@GMAIL.COM
EmailAddress SUNWARE1@AOL.COM EmailAddress LILEMINNESOTA@HOTMAIL.COM
EmailAddress DSFSAF@GMAIL.COM EmailAddress 13836469977@139.com EmailAddress
FUCKCCDDEEFFF@GMAIL.COM EmailAddress YYTXCONNECTICUT@GMAIL.COM EmailAddress
LILEMINNESOTA@HOTMAIL.COM Filename NSLS.dll Filename HelpPane.exe Filename
nsls.dll Filename conf.exe Filename HelpPane.exe Filename msimain17.sdb Filename
shell.exe Filename 715578187~.exe Filename COMSysAppLauncher.exe Filename
SysAppLauncher.dll Filename curriculumvitae.rtf Filename cryptbase.exe Filename
sign.exe Filename mess.exe Filename cryptbasesvc.dll Filename
video(20170201)_2.exe Filename cryptbasesvc.dll Filename cryptbase.dll Filename
COMSystemApplicationLauncher.dll Hash 09ec3b13ee8c84e07f5c55b0fa296e40 Hash
d8cc0485a7937b28fc242fbc69331014 Hash 5096b87a9dec78f9027dec76a726546d Hash
e4c5cb83ae9c406b4191331ef5bef8ff Hash 09ec3b13ee8c84e07f5c55b0fa296e40 Hash
32c0c3bfa07220b489d8ff704be21acc Hash 82496f6cede2d2b8758df1b6dc5c10a2 Hash
27491f061918f12dcf43b083558f4387 Hash 5096b87a9dec78f9027dec76a726546d Hash
58c66b3ddbc0df9810119bb688ea8fb0 Hash a4b2a6883ba0451429df29506a1f6995 Hash
e88f812a30cfb9fc03c4e41be0619c98 Hash f4da908122d8e8f9af9cf4427a95dd79
IPv4Address 180.150.226.207 IPv4Address 103.86.84.124 IPv4Address 61.33.155.97
IPv4Address 103.212.222.86 IPv4Address 42.236.84.118 IPv4Address 14.33.133.78
IPv4Address 45.77.3.152 IPv4Address 54.245.195.101 IPv4Address 45.77.6.44 URL
http://54.245.195[.]101/sign.exe URL http://54.245.195[.]101/test.rtf URL
http://54.245.195[.]101/shell.exe URL http://54.245.195[.]101/mess.exe URL
http://signup.facebooknavigation[.]com/ Host mess[.]googlerenewals[.]net Host
us[.]igooglefiles[.]com Host signup[.]facebooknavigation[.]com Host
signup[.]facebooknavigation[.]com Host signup[.]facebooknavigation[.]com Host
bot[.]new[.]googlecustomservice[.]com Host jp[.]googlerenewals[.]net Host
xn--360tmp-k02m[.]new[.]googlecustomservice[.]com Host us[.]igooglefiles[.]com
Host cdn[.]igooglefiles[.]com Host
xn--360tmp-k02m[.]tmp[.]googlecustomservice[.]com Host
xn--360tmp-k02m[.]www[.]googlecustomservice[.]com Host
ftp[.]googlecustomservice[.]com Host game[.]googlecustomservice[.]com Host
www[.]googlecustomservice[.]com Host new[.]googlecustomservice[.]com Host
bot[.]googlecustomservice[.]com Host vnew[.]googlecustomservice[.]com Host
tmp[.]googlecustomservice[.]com Host xn--360tmp-k02m[.]googlecustomservice[.]com
Host hk[.]uk[.]igooglefiles[.]com Host us[.]uk[.]igooglefiles[.]com Host
www[.]uk[.]igooglefiles[.]com Host lead1[.]uk[.]igooglefiles[.]com Host
cdn[.]uk[.]igooglefiles[.]com Host show[.]uk[.]igooglefiles[.]com Host
uk[.]uk[.]igooglefiles[.]com Host news[.]googlesoftservice[.]net Host
news[.]facebooknavigation[.]com Host mess[.]googlerenewals[.]net Host
signup[.]facebooknavigation[.]com Host backup[.]aolonline[.]cc Host
uk[.]igooglefiles[.]com Host news[.]aolonline[.]cc

 

The indicators are available on PassiveTotal.

Posted in: Incidents


CATEGORIES

 * Campaigns
 * cat2
 * Crypto
 * cyber attack
 * Cyber-Crime
 * Disinformation
 * General
 * Incidents
 * Threat actors
 * Uncategorized


ARCHIVE

 * May 2023
 * June 2022
 * April 2022
 * August 2021
 * May 2021
 * February 2021
 * January 2021
 * December 2020
 * October 2020
 * August 2020
 * June 2020
 * April 2020
 * February 2020
 * January 2020
 * October 2019
 * September 2019
 * August 2019
 * July 2019
 * June 2019
 * May 2019
 * April 2019
 * February 2019
 * November 2018
 * July 2018
 * February 2018
 * January 2018
 * December 2017
 * November 2017
 * October 2017
 * August 2017
 * July 2017
 * May 2017
 * April 2017
 * March 2017
 * January 2017
 * November 2016
 * October 2016
 * June 2016
 * January 2016
 * November 2015
 * September 2015
 * June 2015
 * May 2015
 * September 2014






CYBER SOLUTIONS

 * Threat Intelligence
 * Cyber strategy
 * Cyber architecture
 * Pay per report – APT Group research
 * Cyber Tabletop Exercise


CONTACT US

Head office:
HaTa’asiya St 4
Tel Aviv-Yafo
Phone: +972 586 277684
Email: info [at] clearskysec.com

Sitemap xml | Copyright 2023 © ClearSky Cyber Security