APT 40 in Malaysia

Sebdraven
Sebdraven
Feb 7 · 1 min read

The cert of Malaysia made an advisory the 5th february.

It’s published many TTPs and IOCs on this group:

There is many links interessisting:

the first are this IP 195.12.50.168 and 167.99.72.82. In my yeti, I found many relative observables on it:

hxxp://195.12.50.168/D2_de2o@sp0/ and hxxp://167.99.72.82/main.dotm

this Urls were used by a campaign discovered by ClearSky

targeting Malaysia. The victimology is interesting because it’s concerning transport industry.

Another link interesting with this advisories is the link wit another campaign in November

https://app.any.run/tasks/ed03d492-688e-4182-9a06-6f65d8cb18fc/

found by

Malware used here is Dadjoke.

APT40 is an active Chinese group in South Asia, near of the MSS (Intelligence Service of China) according Intrusion Truth https://intrusiontruth.wordpress.com/2020/01/16/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/

Sebdraven

Written by

Sebdraven

OSINT, Python,Malware Analysis, Botnet Tracker, SIEM and IPS/IDS and Threats Expert / co-organizer #BotConf / co-creator of #FastIR/ Researcher at @Epita

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade