DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
Tags
cmtmf-attack-pattern: Masquerading
country: China Kazakhstan Kyrgyzstan Philippines Vietnam
maec-delivery-vectors: Watering Hole
attack-pattern: Data Direct Model Clipboard Data - T1414 Credentials - T1589.001 Dcsync - T1003.006 Dll Search Order Hijacking - T1574.001 Dll Side-Loading - T1574.002 Domains - T1583.001 Domains - T1584.001 Local Groups - T1069.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Ntds - T1003.003 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Rundll32 - T1218.011 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 System Services - T1569 Tool - T1588.002 Vulnerabilities - T1588.006 Clipboard Data - T1115 Credential Dumping - T1003 Dll Search Order Hijacking - T1038 Dll Side-Loading - T1073 Masquerading - T1036 Powershell - T1086 Rundll32 - T1085 Scheduled Task - T1053 Masquerading
Show in Graph
Common Information
Type Value
UUID f87c1da2-f5e3-4550-aad6-22c441c93020
Fingerprint 26b18d918fb1a091
Analysis status DONE
Considered CTI value 2
Text language
Published Aug. 3, 2021, midnight
Added to db Sept. 11, 2022, 12:31 p.m.
Last updated Nov. 17, 2024, 10:40 p.m.
Headline DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
Title DeadRinger: Exposing Chinese Threat Actors Targeting Major Telcos
Detected Hints/Tags/Attributes 183/4/62
Source URLs
Redirection Url
Details Source https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
URL Provider
Details Provider Source level domain
Details cybereason.com www.cybereason.com
Attributes
Details Type #Events CTI Value
Details Domain 47 
microsoft.exchange
Details Domain 4 
ttareyice.jkub.com
Details File 351 
recycle.bin
Details File 15 
test.bat
Details File 1 
psc.exe
Details File 1 
psloglist.bat
Details File 8 
nvsmartmax.dll
Details File 3 
nvsmartmax.dat
Details File 2 
nvsmarex.exe
Details File 1018 
rundll32.exe
Details File 93 
curl.exe
Details File 2 
nvsmartex.exe
Details File 2126 
cmd.exe
Details File 88 
1.txt
Details File 1 
q.bat
Details File 1 
oracll.exe
Details File 6 
lg.exe
Details File 4 
mscorsvc.dll
Details File 41 
mscorsvw.exe
Details File 19 
a.bat
Details File 1 
smnbt.exe
Details File 10 
query.exe
Details File 6 
dsget.exe
Details File 1 
s6.exe
Details File 3 
26.exe
Details File 17 
log.log
Details File 1 
d64.exe
Details File 1 
c:\windows\d64.exe
Details File 1 
c:\compaq\d64.exe
Details File 1 
c:\perflogs\ c:\perflogs\s6.exe
Details File 1 
c:\perflogs\msnbt.exe
Details File 1 
c:\perflogs\lg.exe
Details File 1 
c:\perflogs\ c:\perflogs\pl6.exe
Details File 1 
c:\perflogs\nbt.exe
Details File 1 
pl6.exe
Details File 6 
chrome_frame_helper.exe
Details File 5 
chrome_frame_helper.dll
Details File 1 
patchwrap.exe
Details File 2 
atl110.dll
Details File 3 
backup.exe
Details File 478 
lsass.exe
Details File 5 
potplayer.dll
Details File 3 
potplayer.exe
Details File 6 
event.dll
Details File 1 
ex.dat
Details File 1 
auth.dll
Details File 7 
applicationhost.config
Details File 1122 
svchost.exe
Details File 1 
prospects.exe
Details File 142 
wmiprvse.exe
Details sha1 1 
91b0d7fa50d993c7a35ec501ef5f3585f0003a51
Details sha1 1 
5572fa29e61009a626320275b36eef0d5142e3e2
Details IPv4 1 
45.123.118.232
Details Pdb 2 
e:\vs_proj\mimktools\dcsync_new\x64\dcsync64.pdb
Details Pdb 2 
e:\simplify_modify\x64\simplify.pdb
Details Pdb 3 
e:\vs_proj\simplify_modify\win32\simplify.pdb
Details Pdb 1 
deployfilter.pdb
Details Pdb 1 
servicefilter.pdb
Details Threat Actor Identifier - APT 297 
APT27
Details Threat Actor Identifier - APT 78 
APT3
Details Threat Actor Identifier - APT 522 
APT41
Details Url 1 
http://45.123.118.232/1.txt