In Februrary, Record Futur publishes an article about a campaign against the Indian Power Sector Amid Heightened Border Tensions by RedEcho

https://www.recordedfuture.com/redecho-targeting-indian-power-sector/

After my investigation with the RiskIQ passive DNS, I found many IOCs interesting.

The domain ntpc-co.com is the most interesting. This domains has been resolved on two IPs : 27.255.94.29 and 210.92.18.132.

And this IPs have two certificates SSL linked 2d2d79c478e92a7de25e661ff1a68de0833b9d9b and 0a71519f5549b21510410cdf4a85701489676ddb.

With theses certificates, we can found many IPs published in the article of Record Future.

223.255.155.243

210.121.164.72

223.255.155.238

180.150.226.216

223.255.155.252

And a new IP published yesterday: 210.92.18.132

RedEcho group parks domains after public exposure | The Record by Recorded Future

So these two certificates are more important to have a good view of the Infrastruscture of RedEcho. But, these certificates are linked to ShadowPad Infrastructure which used by others APT chineses groups.

Overview of the infrastructure

A new document royal road v7 installs a backdoor in .NET. a first executable is dropped \os03C2.tmp. This exe has many similarities with older campaigns using by Operation LagTime or Tonto Team.

Document

The decoy document is a document about infection of covid19 in Russia send to the Mongolia Authorities…

the file f5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5 uses the version 7 of royal road document.

This file drops in memory a new backdoor rewriting the process EQNEDT32.EXE.

This document refers to the ceasefire between Armenia and Azerbaijan and seems to be send by the Mongolian authorities.

Analysis of the backdoor in memory

This backdoor is a state machine launching different…

Last year I’ve analyzed a chinoxy backdoor dropped by an royal road RTF targeting Vietnam. https://medium.com/@Sebdraven/winnti-uses-the-rtf-exploit-8-t-too-targets-vietnam-13300d432272

The 17 march 2019, a campaign using royal road RTF targetted the Kirghistan with a lure document COVID19 about financial consideration of the world Bank.

5 years of Chinoxy implemention

This backdoor is very similar with it used…

The cert of Malaysia made an advisory the 5th february.

It’s published many TTPs and IOCs on this group:

There is many links interessisting:

the first are this IP 195.12.50.168 and 167.99.72.82. In my yeti, I found many relative observables on it:

hxxp://195.12.50.168/D2_de2o@sp0/ and hxxp://167.99.72.82/main.dotm

this Urls were used by a campaign discovered by ClearSky

targeting Malaysia. The victimology is interesting because it’s concerning transport industry.

Another link interesting with this advisories is the link wit another campaign in November

https://app.any.run/tasks/ed03d492-688e-4182-9a06-6f65d8cb18fc/

found by

Malware used here is Dadjoke.

APT40 is an active Chinese group in South Asia, near of the MSS (Intelligence Service of China) according Intrusion Truth https://intrusiontruth.wordpress.com/2020/01/16/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/

Sebdraven

Malwarist,Threat Huntist and pythonist / core dev of #yeti/ member of @ProjectHoneynet / co-organizer #BotConf / researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store