Posted on Leave a comment

“RedFoxtrot” Threat Actor group Linked to China’s PLA, Targeting Its ASIAN Border Countries.

Researchers from Recordedfuture has profiled Chinese state sponsored threat group named “RedFoxtrot’ linked to China’s PLA Unit 69010 located in Xinjiang, China.

RedFoxtrot, which is active since 2014 has been targeting various government agencies, defense and telecommunication sectors across Central Asia, India, and Pakistan.

Experts(Insikt Group from Recordedfuture) has particularly observed this group for the last 6 months targeting 3 Indian aerospace and defense contractors and major telecommunication providers and other government agencies from countries like India, Kazahhstan, Afghanistan and Pakistan.

Source: Recordedfuture

RedFoxtrot has historically employed multiple open- and closed-source tooling commonly shared across Chinese cyber espionage groups, including PlugX,
Poison Ivy, Royal Road, PCShare, and IceFog.”

” Insikt Group also identified multiple links to suspected ShadowPad command
and control (C2) infrastructure, tracked by Recorded Future as AXIOMATICASYMPTOTE, providing evidence of yet another Chinese group with access to the custom backdoor”
reads the report released by Recordedfuture.

DDNS domains such as inbsnl.ddns[.]info”, “adtl.mywire[.]org”, and “indianmail.zyns[.] often contain hints about its one among the target country is India for spoofing a specific organization for the attack.

Indicators of Compromise:(Pretty Big List)

Domains:
adobesupport[.]net
adtl.mywire[.]org
appinfo.camdvr[.]org
aries.epac[.]to
billing.epac[.]to
capture.kozow[.]com
chock.mywire[.]org
coreldraw.kozow[.]com
czconnections.ddns[.]info
drdo.dumb1[.]com
drdo.mypop3[.]net
dsgf.chickenkiller[.]com
elienceso.kozow[.]com
exat.dnset[.]com
exat.zyns[.]com
execserver.giize[.]com
exujjat.xxuz[.]com
fashget.theworkpc[.]com
fivenum.mooo[.]com
foreverlove.zzux[.]com
forum.camdvr[.]org
fukebutt.zzux[.]com
googleupdate.myz[.]info
gulistan.wikaba[.]com
hcl.sexidude[.]com
honoroftajik.dynamic-dns[.]net
hostmail1[.]com
https.dnset[.]com
https.ikwb[.]com
https.otzo[.]com
https.vizvaz[.]com
inbsnl.ddns[.]info
inbsnl.ddns[.]ms
indiaeducation.mefound[.]com
indian.mefound[.]com
indianmail.zyns[.]com
itsupport.firewall-gateway[.]net
jpgdowngaussip.ddns[.]info
kastygost.compress[.]to
kelimelerdunyasi[.]org
koreckaccord01.zzux[.]com
laugh.toh[.]info
lexuz.dns05[.]com
lexuz.x24hr[.]com
linkedin[.]organiccrap[.]com
locker.camdvr[.]org
login.kozow[.]com
logonfaker.longmusic[.]com
macfee.webredirect[.]org
macfeesyn.ns01[.]info
macfeeupdate.ddns[.]info
mall.mywire[.]org
manual.gleeze[.]com
manuals.wikaba[.]com
menus.giize[.]com
menus.kozow[.]com
mfedownload.freetcp[.]com
mfeupdate.ddns[.]info
mfeupload.freetcp[.]com
miche.justdied[.]com
msgsober.xxuz[.]com
msn.dnsnet[.]com
nicodonald.accesscam[.]org
niteast.strangled[.]net
notice.theworkpc[.]com
nproccshow.zyns[.]com
otc[.]toythieves[.]com
pisces.zzux[.]com
prace.gleeze[.]com
pracute.camdvr[.]org

queryinfo.mrbonus[.]com
quickheal.firewall-gateway[.]net
randomanalyze.freetcp[.]com
rastelcs.kozow[.]com
rci.ddns[.]info
redhatboy.dynamic-dns[.]net
scorpio.zzux[.]com
secindia.mywire[.]org
secssl.ooguy[.]com
secssl.theworkpc[.]com
secupdate.kozow[.]com
skylineline.crabdance[.]com
skylineqaz.crabdance[.]com
smcupdate.mooo[.]com
srcrail.kozow[.]com
stratejibilimi[.]com
sunway2.chickenkiller[.]com
superkelimeler[.]com
supports.casacam[.]net
supports.gleeze[.]com
sysman.ddnsgeek[.]com
sysmantec.firewall-gateway[.]net
sysmantec[.]organiccrap[.]com
tajikstantravel.dynamic-dns[.]net
tele.zyns[.]com
thinkv.dynamic-dns[.]net
thinkv.epac[.]to
trand.mefound[.]com
trendiis.sixth[.]biz
updateinfo.kozow[.]com
uzwatersource.dynamic-dns[.]net
water.xxuz[.]com
wawaqq.ddns[.]info
whitepages.dynamic-dns[.]net
wsliversourcecor.epac[.]to
yatedo.organiccrap[.]com

Ip Addresses:

206.189.153[.]132
45.77.178[.]76
45.32.22[.]220
66.42.33[.]214
45.76.216[.]62
142.93.217[.]73
143.110.241[.]54
141.164.43[.]124
149.28.131[.]147
143.110.187[.]104
165.232.180[.]8
143.110.249[.]226
178.128.124[.]161
159.89.172[.]102
188.166.235[.]99
172.104.64[.]123
198.13.51[.]228
188.166.178[.]133
206.189.143[.]219
198.13.42[.]157
45.32.146[.]174
202.182.111[.]249

-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1

Leave a Reply