RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
Common Information
| Type | Value |
|---|---|
| UUID | 79dea55a-7d28-42d7-ac66-9b054ff8890d |
| Fingerprint | 4fe6a4251dddcc15e47e9555b446c2c7648ca1e0bd15a3557d82bb1f42909ae7 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | None |
| Added to db | March 10, 2024, 12:48 a.m. |
| Last updated | Aug. 30, 2024, 10:26 p.m. |
| Headline | RedAlpha: New Campaigns Discovered Targeting the Tibetan Community |
| Title | RedAlpha: New Campaigns Discovered Targeting the Tibetan Community |
| Detected Hints/Tags/Attributes | 26/3/102 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://go.recordedfuture.com/hubfs/reports/cta-2018-0626-appendix.pdf |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | 220x218x70x160.ap220.ftth.ucom.ne.jp |
|
| Details | Domain | 2 | angtechy.com |
|
| Details | Domain | 2 | apple.internetdocss.com |
|
| Details | Domain | 2 | artvoice.internetdocss.com |
|
| Details | Domain | 2 | blog.tibetcul.internetdocss.com |
|
| Details | Domain | 2 | business.internetdocss.com |
|
| Details | Domain | 2 | cfr.internetdocss.com |
|
| Details | Domain | 2 | chinaaid.internetdocss.com |
|
| Details | Domain | 2 | cqledu.com |
|
| Details | Domain | 2 | cqyrxy.com |
|
| Details | Domain | 3 | doc.internetdocss.com |
|
| Details | Domain | 2 | docs.internetdocss.com |
|
| Details | Domain | 2 | drlve-gooog1e.com |
|
| Details | Domain | 2 | epochtimes.internetdocss.com |
|
| Details | Domain | 2 | http.ackques.com |
|
| Details | Domain | 2 | index.ackques.com |
|
| Details | Domain | 2 | item.internetdocss.com |
|
| Details | Domain | 2 | login-live.space |
|
| Details | Domain | 2 | mail-aol.space |
|
| Details | Domain | 2 | mail-defense.tk |
|
| Details | Domain | 3 | mail-dsi-go.space |
|
| Details | Domain | 2 | mail-epochtimes.space |
|
| Details | Domain | 2 | mail.youxinpai.com |
|
| Details | Domain | 2 | ndtv.internetdocss.com |
|
| Details | Domain | 2 | oc.internetdocss.com |
|
| Details | Domain | 2 | plshl.com |
|
| Details | Domain | 2 | rediff.internetdocss.com |
|
| Details | Domain | 2 | savetibet.internetdocss.com |
|
| Details | Domain | 2 | sp.u2xu2.com |
|
| Details | Domain | 2 | striker.internetdocss.com |
|
| Details | Domain | 2 | thewire.internetdocss.com |
|
| Details | Domain | 2 | tibet.internetdocss.com |
|
| Details | Domain | 2 | tk.u2xu2.com |
|
| Details | Domain | 2 | tootopia.internetdocss.com |
|
| Details | Domain | 2 | u2xu2.com |
|
| Details | Domain | 2 | video.internetdocss.com |
|
| Details | Domain | 2 | vot.internetdocss.com |
|
| Details | Domain | 2 | webmail-mpt.space |
|
| Details | Domain | 2 | wengiguowengui.space |
|
| Details | Domain | 2 | www.apple.internetdocss.com |
|
| Details | Domain | 2 | www.doc.internetdocss.com |
|
| Details | Domain | 2 | www.hktechy.com |
|
| Details | Domain | 272 | outlook.com |
|
| Details | Domain | 85 | 163.com |
|
| Details | Domain | 99 | qq.com |
|
| Details | 2 | steven-jain@outlook.com |
||
| Details | 4 | 6060841@qq.com |
||
| Details | File | 40 | www.doc |
|
| Details | File | 23 | x86.dll |
|
| Details | File | 11 | x86.exe |
|
| Details | File | 38 | x64.dll |
|
| Details | File | 13 | x64.exe |
|
| Details | File | 6 | audio.exe |
|
| Details | File | 2 | c:\\windows\\nethelp.dll |
|
| Details | File | 5 | %systemroot%\\system32\\svchost.exe |
|
| Details | File | 816 | index.html |
|
| Details | File | 13 | client.dll |
|
| Details | File | 2 | serverdo.exe |
|
| Details | md5 | 2 | 5228914b534a437eb7985702e78772be |
|
| Details | md5 | 2 | e6c0ac26b473d1e0fa9f74fdf1d01af8 |
|
| Details | md5 | 2 | e28db08b2326a34958f00d68dfb034b0 |
|
| Details | md5 | 2 | 3a2b1a98c0a31ed32759f48df34b4bc8 |
|
| Details | md5 | 2 | c94a39d58450b81087b4f1f5fd304add |
|
| Details | md5 | 2 | c74608c70a59371cbf016316bebfab06 |
|
| Details | md5 | 2 | cb71f3b4f08eba58857532ac90bac77d |
|
| Details | md5 | 2 | 1412102eda0c2e5a5a85cb193dbb1524 |
|
| Details | md5 | 2 | 42256b4753724f7feb411bc9912155fd |
|
| Details | md5 | 2 | 6d1d6987d0677f40e473befab121ab1b |
|
| Details | md5 | 2 | 8f0fe2620f8dadf93eee285834e35655 |
|
| Details | md5 | 2 | cd32ce54ed94dfbde7fb85930a16597d |
|
| Details | md5 | 2 | c6e336550bd1c087ee2a211781fd9280 |
|
| Details | md5 | 2 | d4ea9027edca1d01c62d9f43a2975d30 |
|
| Details | md5 | 2 | 6dd1be1e491d5bf9cd14686c185c3009 |
|
| Details | md5 | 2 | 3697a1f9150de181026ce089c10657c3 |
|
| Details | md5 | 2 | e6e566fc8a1dee3019821e84c5ad58cc |
|
| Details | md5 | 2 | bc902a5e56cbbaa82f4af26cf9f4567e |
|
| Details | md5 | 2 | af5487e77c16d987ca02d59bdcf38489 |
|
| Details | md5 | 2 | 6e109cbbd181ad567b90463d48302c72 |
|
| Details | md5 | 2 | df09df6d5ae774f280c43e3cc0e4a142 |
|
| Details | md5 | 2 | 17030637d18335c7267d09ec0ebc637c |
|
| Details | md5 | 2 | 617fd4619e215a00dae98de5980a4210 |
|
| Details | md5 | 22 | f34d5f2d4577ed6d9ceec516c1f5a744 |
|
| Details | IPv4 | 2 | 115.126.39.107 |
|
| Details | IPv4 | 2 | 122.10.84.146 |
|
| Details | IPv4 | 2 | 142.4.62.249 |
|
| Details | IPv4 | 2 | 144.48.220.167 |
|
| Details | IPv4 | 2 | 198.44.172.97 |
|
| Details | IPv4 | 2 | 211.44.63.39 |
|
| Details | IPv4 | 2 | 220.218.70.160 |
|
| Details | IPv4 | 2 | 27.126.179.156 |
|
| Details | IPv4 | 2 | 27.126.179.157 |
|
| Details | IPv4 | 2 | 27.126.179.158 |
|
| Details | IPv4 | 2 | 27.126.179.159 |
|
| Details | IPv4 | 2 | 27.126.179.160 |
|
| Details | IPv4 | 2 | 45.77.250.80 |
|
| Details | Url | 2 | http://doc.internetdocss.com/nethelp |
|
| Details | Url | 2 | http://doc.internetdocss.com/audio |
|
| Details | Url | 2 | http://doc.internetdocss.com/word |
|
| Details | Url | 2 | http://doc.internetdocss.com/index? |
|
| Details | Yara rule | 1 | import "pe"
rule apt_ZZ_RedAlpha_2017Campaign_nethelp {
meta:
desc = "RedAlpha 2017 Campaign, NetHelp Drop"
author = "JAG-S, Insikt Group, RecordedFuture"
TLP = "White"
md5_x86 = "42256b4753724f7feb411bc9912155fd"
md5_x86 = "6d1d6987d0677f40e473befab121ab1b"
md5_x64 = "8f0fe2620f8dadf93eee285834e35655"
md5_x64 = "cd32ce54ed94dfbde7fb85930a16597d"
md5_x64_striker = "6dd1be1e491d5bf9cd14686c185c3009"
strings:
$postreq1 = "POST /index.html HTTP/1.1" ascii wide
$postreq2 = "Host: index.ackques.com" ascii wide
$postreq3 = "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101
Chrome /53.0" ascii wide
$postreq4 = "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*" ascii wide
$postreq5 = "Accept-Language: en-US;q=0.5,en;q=0.3" ascii wide
$postreq6 = "Accept-Encoding: gzip, deflate" ascii wide
$postreq7 = "Content-Type: application/x-www-form-urlencoded" ascii wide
$postreq8 = "Content-Length: %d" ascii wide
$postreq9 = "Connection: keep-alive" ascii wide
$postreq10 = "Upgrade-Insecure-Requests: 1" ascii wide
$cnc1 = "index.ackques.com" ascii wide
$cnc2 = "www.hktechy.com" ascii wide
$cnc3 = "striker.internetdocss.com" ascii wide
$service1 = "Windows Internet Help" ascii wide
$service2 = "Client.dll" ascii wide
$service3 = "ServiceMain" ascii wide
condition:
uint16(0) == 0x5A4D and filesize < 500KB and ((pe.imphash() == "bc902a5e56cbbaa82f4af26cf9f4567e" or pe.imphash() == "af5487e77c16d987ca02d59bdcf38489" or pe.imphash() == "6e109cbbd181ad567b90463d48302c72" or pe.imphash() == "df09df6d5ae774f280c43e3cc0e4a142") or (all of ($postreq*) or any of ($cnc*) or all of ($service*)))
} |
|
| Details | Yara rule | 1 | import "pe"
rule apt_ZZ_RedAlpha_Dropper {
meta:
author = "JAG-S, Insikt Group, Recorded Future"
tlp = "White"
md5 = "e6c0ac26b473d1e0fa9f74fdf1d01af8"
md5 = "e28db08b2326a34958f00d68dfb034b0"
md5 = "c94a39d58450b81087b4f1f5fd304add"
md5 = "3a2b1a98c0a31ed32759f48df34b4bc8"
desc = "RedAlpha Dropper"
version = "1.0"
strings:
$cnc = "http://doc.internetdocss.com/index?"
condition:
uint16(0) == 0x5A4D and filesize < 500KB and (pe.imphash() == "17030637d18335c7267d09ec0ebc637c" or pe.imphash() == "617fd4619e215a00dae98de5980a4210") and all of them
} |
|
| Details | Yara rule | 2 | import "pe"
rule apt_ZZ_RedAlpha_njRat {
meta:
author = "JAG-S, Insikt Group, Recorded Future"
TLP = "White"
md5 = "c74608c70a59371cbf016316bebfab06"
date = "04-14-2018"
desc = "Second-stage njRAT, RedAlpha config"
version = "1.1"
strings:
$installName = "serverdo.exe" wide
$port = "9527" wide
$version = "0.7d" wide
$c2 = "doc.internetdocss.com" wide
condition:
uint16(0) == 0x5A4D and filesize < 50KB and pe.imphash() == "f34d5f2d4577ed6d9ceec516c1f5a744" and all of them
} |