Skip to main content Skip to Footer

BLOG


April 23, 2018
Hogfish Alert
By: Josh Ray

WHAT’S THE STORY?

HOGFISH, more commonly known as APT10, is an espionage threat group attributed to China that has been heavily targeting Japan and Western organizations since as early as 2009.The malware used in this campaign uncovered by iDefense analysts, is the latest iteration of RedLeaves: a capable RAT that allows the threat group to perform the following actions on a compromised machine:

  • Take screenshots

  • Gather browser usernames and passwords

  • Gather extended system information

  • Send, receive, and execute commands from the C2 server

This report contains a full overview of a recent HOGFISH campaign targeting organizations in Japan, and taunting tactics used on other intelligence analysts, researchers and responders.

DOWNLOAD THREAT ANAYLSIS TECHNICAL REPORT [PDF]

WHAT DOES IT MEAN?

Despite the recent high profile disclosure in the Operation Cloud Hopper by the National Cyber Security Centre (NCSC) and others, HOGFISH remains a highly active and innovative threat group. Hogfish does not shy away from targets around the world, but does have a particular interest on Japan. Stolen data and proprietary information is likely to be transformed by the threat group into actionable intelligence for the group’s sponsors.

WHAT CAN YOU DO?

To effectively mitigate against threats posed by this particular HOGFISH campaign, security teams should look for and block access to the following C2 domains and IP addresses:

  • firefoxcomt.arkouowi[.]com

  • update.arkouowi[.]com

  • friendlysupport.giize[.]com

  • algorithm.ddnsgeek[.]com

  • 149.36.63[.]65m

  • 83.136.106[.]108

For threat hunting, it is also useful to examine the content of the following folders and look out for anomalous data:

  • %temp%\AYRUNSC.exe

  • %temp%\PTL.AYM

  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\GppiTEMms.lnk

  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\EaahLDRej.lnk

  • %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\BnorTEPkh.lnk

  • A mutex named jH10689DS, 2N6541mb, or rV6880B9.

Hashes (SHA-256):

d956e2ff1b22ccee2c5d9819128103d4c31ecefde3ce463a6dea19ecaaf418a1 5504e04083d6146a67cb0d671d8ad5885315062c9ee08a62e40e264c2d5eab91 f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b db7c1534dede15be08e651784d3a5d2ae41963d192b0f8776701b4b72240c38d

Popular Tags

    More blogs on this topic

      Archive