A brand new piece of analysis has detailed the more and more refined nature of the malware toolset employed by a sophisticated persistent risk (APT) group named Earth Aughisky.
Earth Aughisky
Earth Aughisky, also referred to as Taidoor, is a cyber espionage group that is recognized for its skill to abuse legit accounts, software program, purposes, and different weaknesses within the community design and infrastructure for its personal ends.
Whereas the Chinese language risk actor has been recognized to primarily goal organizations in Taiwan, victimology patterns noticed in the direction of late 2017 point out an growth to Japan.
Essentially the most generally focused trade verticals embrace authorities, telcom, manufacturing, heavy, expertise, transportation, and healthcare.
The group has additionally been linked to quite a lot of malware households, equivalent to GrubbyRAT, K4RAT, LuckDLL, Serkdes, Taikite, and Taleret, as a part of its makes an attempt to persistently replace its arsenal to evade safety software program.
Among the different notable backdoors employed by Earth Aughisky through the years are as follows –
- SiyBot, a primary backdoor that makes use of public providers like Gubb and 30 Packing containers for command-and-control (C2)
- TWTRAT, which abuses Twitter’s direct message function for C2
- DropNetClient (aka Buxzop), which leverages the Dropbox API for C2
The cybersecurity agency additionally linked the actions of Earth Aughisky to a different APT actor codenamed by Airbus as Pitty Tiger (aka APT24) based mostly on using the identical dropper in varied assaults that transpired between April and August 2014.
Indicators of Compromise (IoCs)
Domains
1122334[.]zyns[.]com
aimimi[.]xxuz[.]com
airbus[.]zyns[.]com
airlinesflightleaving[.]thesizeofearth[.]ourhobby[.]com
aolmail[.]ddns[.]info
article[.]phdfa[.]com
Artor[.]terelation[.]com
asia[.]publiccosplay[.]org
av[.]phdfa[.]com
backupcoa[.]serveftp[.]com
big[.]qpoe[.]com
bigbang[.]ddns[.]ms
bigbang[.]myddns[.]com
bigbank[.]cnkk[.]org
bigbigbig[.]servehttp[.]com
bigkszb[.]twgogo[.]org
bing[.]ikwb[.]com
bitcom[.]polaczyk[.]com
blizzard[.]apchnetinfo[.]com
bnhxalex[.]organiccrap[.]com
bulk[.]indonet[.]org
cart[.]skyseaweb[.]org
cca[.]us[.]to
cier[.]edu[.]tw[.]us[.]to
common[.]taiwan[.]twilightparadox[.]com
common[.]taiwaninfoma[.]uk[.]to
customs[.]bot[.]nu
dayan[.]onedumb[.]com
dirco[.]jetos[.]com
dns[.]dymantic[.]service[.]fbs[.]ocry[.]com
download[.]longmusic[.]com
duth[.]ahfree[.]net
emailfromsm[.]mpsdtupdsda[.]ezua[.]com
exchanger-online-thalesgroup[.]zyns[.]com
expiration[.]toythieves[.]com
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment