Revisiting APT1 IoCs with DNS and Subdomain Intelligence

Read the original article: Revisiting APT1 IoCs with DNS and Subdomain Intelligence


Cyber espionage is a type of cyber attack that aims to steal sensitive and often classified information to gain an advantage over a company or government. The 2020 Data Breach Investigations Report (DBIR) revealed that several hundreds of incidents across industries in the previous year were motivated by espionage.

We zoom in on one cyber espionage group of threat actors believed to be responsible for dozens of security breaches. The group dubbed “APT1” or “Advanced Persistent Threat Group 1” is the most prolific and persistent APT group. They reportedly stole hundreds of terabytes of data and maintained access to victim networks for as long as 1,764 days.

While the group is believed inactive, their implant code was reused in 2018. Could the indicators of compromise (IoCs) of APT1 be reused, too? Are there APT1 patterns detected in currently active fully qualified domain names (FQDNs)?

APT1 IoCs and Trademarks

Cybersecurity professionals closely monitor APT groups, including APT1. In one report by Fireeye detailing such monitoring, we obtained several IoCs consisting of:

  • 88 domain names
  • 7 subdomains
  • 8 email addresses
  • 6 netblocks
  • 3 IP addresses

APT1 actors also tend to leave signatures in the weapons they use. For instance, the APT1 persona identified as “Ugly Gorilla,” notably imprinted the initials “UG” in the FQDNs or subdomains. Some examples mentioned in the report are:

  • ug-opm[.]hugesoft[.]org
  • ug-co[.]hugesoft[.]org
  • ug-rj[.]arrowservice[.]net
  • ug-hst[.]msnhome[.]org

All of these subdomains are tagged “malicious” by VirusTotal.

Revisiting the APT1 IoCs

We used the following tools to revisit and discover more about the IoCs:

Domain Names and Associated IP Addresses

Of the 88 domain names publicly attributed to APT1, 28 remain active in the Domain Name System (DNS) as of 4 December 2020. Some of the domains were typosquats of legitimate companies, some of which are now the owners of the IoCs (likely as part of typosquatting protection strategies). These domains and their respective registrant organizations are:

  • arrowservice[.]net: Arrow Electronics, Inc.
  • mcafeepaying[.]com: McAfee LLC
  • msnhome[.]org: Microsoft Corporation
  • myyahoonews[.]com: Oath Inc.
  • yahoodaily[.]com: Oath Inc.

Of the remaining 23 APT1 domain IoCs, 19 were cited as “malicious” by VirusTotal and could already be blacklisted by most security systems. However, four of the domains are not tagged as such even if one is a CNN look-alike domain that cannot be attributed to the news organization.

The table below shows the four domains’ corresponding IP addresses and whether they have been reported as malicious. We also retrieved their IP netblocks and checked if they are included in the publicly available IoCs reported by Fireeye.

Table 1: IoCs Not Tagged “Malicious”
Domain IP Address IP Tagged as Malicious? IP Netblock IP Netblock an IoC?
cnndaily[.]net 104[.]31[.]82[.]32 No, but with 3 files communicating 104[.]31[.]80[.]0 — 104[.]31[.]95[.]255 No
comrepair[.]net 23[.]236[.]62[.]147 Yes 23[.]236[.]48[.]0 — 23[.]236[.]63[.]255 No
dnsweb[.]org 67[.]222[.]16[.]131 No 67[.]222[.]16[.]0 — 67[.]222[.]23[.]255 No
uszzcs[.]com 103[.]42[.]182[.]241 No 103[.]42[.]182[.]0 — 103[.]42[.]182[.]255 No

Organizations may also want to revisit these IoCs and include them in their blacklists, as there is a possibility that they could be reused. The domain comrepair[.]net, for one, resolves to a malicious IP address.

Subdomains

We used the Domains and Subdomains Discovery tool to see if there are subdomains that contain Ugly Gorilla’s signature. We used the string “ug-” and searched for subdomains containing the said text string. Some 590 subdomains that begin with the text string turned up, including the IoC ug-co[.]hugesoft[.]org.

Some of these subdomains could be innocent ones that only happen to begin with “ug-.” However, they are worth looking into, especially since APT1 notoriously signed their FQDNs with the said text string.


The APT1 group had seemingly become inactive. However, that doesn’t mean that they can’t entrust the weapons in their arsenal to other cyber attack groups. In fact, they may have already done so with their code. Aside from gleaning insights from blacklist sites, it may also be a good idea for organizations to revisit the group’s IoCs, check for recent suspicious activities, and uncover more domain and IP footprints.


Read the original article: Revisiting APT1 IoCs with DNS and Subdomain Intelligence