RedEcho Infrastructure

Sebdraven
Mar 30, 2021

--

In Februrary, Record Futur publishes an article about a campaign against the Indian Power Sector Amid Heightened Border Tensions by RedEcho

https://www.recordedfuture.com/redecho-targeting-indian-power-sector/

After my investigation with the RiskIQ passive DNS, I found many IOCs interesting.

The domain ntpc-co.com is the most interesting. This domains has been resolved on two IPs : 27.255.94.29 and 210.92.18.132.

And this IPs have two certificates SSL linked 2d2d79c478e92a7de25e661ff1a68de0833b9d9b and 0a71519f5549b21510410cdf4a85701489676ddb.

With theses certificates, we can found many IPs published in the article of Record Future.

223.255.155.243

210.121.164.72

223.255.155.238

180.150.226.216

223.255.155.252

And a new IP published yesterday: 210.92.18.132

RedEcho group parks domains after public exposure | The Record by Recorded Future

So these two certificates are more important to have a good view of the Infrastruscture of RedEcho. But, these certificates are linked to ShadowPad Infrastructure which used by others APT chineses groups.

Overview of the infrastructure

--

--

Sebdraven

Malwarist,Threat Huntist and pythonist / core dev of #yeti/ member of @ProjectHoneynet / co-organizer #BotConf / researcher