Historical OSINT - Chinese Government Sites Serving Malware
It's 2008 and I'm stumbling upon yet another decent portfolio of compromised malware-serving Chinese government Web sites. In this post I'll discuss in-depth the campaign and provide actionable intelligence on the infrastructure behind it.
Compromised Chinese government Web site:
hxxp://nynews.gov.cn
Sample malicious domains known to have participated in the campaign:
hxxp://game1983.com/index.htm
hxxp://sp.070808.net/23.htm
hxxp://higain-hitech.com/mm/index.html
Currently affected Chinese government Web sites:
hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884191
hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm
hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Compromised Chinese government Web site:
hxxp://nynews.gov.cn
Sample malicious domains known to have participated in the campaign:
hxxp://game1983.com/index.htm
hxxp://sp.070808.net/23.htm
hxxp://higain-hitech.com/mm/index.html
Currently affected Chinese government Web sites:
hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884191
hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm
hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
We'll continue monitoring the campaign and post updates as soon as new developments take place.
About the author
Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.
