It's 2008 and I'm stumbling upon yet another decent portfolio of compromised malware-serving Chinese government Web sites. In this post I'll discuss in-depth the campaign and provide actionable intelligence on the infrastructure behind it.
Compromised Chinese government Web site:
hxxp://nynews.gov.cn
Sample malicious domains known to have participated in the campaign:
hxxp://game1983.com/index.htm
hxxp://sp.070808.net/23.htm
hxxp://higain-hitech.com/mm/index.html
Currently affected Chinese government Web sites:
hxxp://www.tgei.gov.cn/dom.txt - iframe - hxxp://www.b110b.com/chbr/110.htm?id=884191
hxxp://hfinvest.gov.cn/en/aboutus/index.asp - iframe - hxxp://nnbzc12.kki.cn/indax.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://xc.haqi.gov.cn/jay.htm - iframe - hxxp://xc.haqi.gov.cn/jay.htm - hxxp://qqnw.gov.cn/ST.htm
hxxp://www.whkx.gov.cn/mohajem.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
hxxp://www.whkx.gov.cn/iii.txt - iframe - hxxp://user.free2.77169.net/shmilyzhutou/evil.htm
We'll continue monitoring the campaign and post updates as soon as new developments take place.
Saturday, October 20, 2018
Historical OSINT - Chinese Government Sites Serving Malware
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com