# Walking on APT31 infrastructure footprints

**sekoia.io/en/walking-on-apt31-infrastructure-footprints/**

November 10, 2021

SEKOIA.IO’s Cyber Threat Intelligence team had an in-depth look at the APT31 intrusion
**[set at the beginning of 2021 when the BfV (Bundesamt für Verfassungsschutz)¹ and](https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/2021/bfv-cyber-brief-2021-1.pdf)**
[McAfee² released some new information. A few months later, the French National](https://kc.mcafee.com/corporate/index?page=content&id=KB94370)
[Cybersecurity Agency (ANSSI) also released a short publication with several IoCs³, showing](https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/)
that the intrusion set was still active and of concern as multiple national agencies had been
involved.

All of these IoCs were mainly IP addresses, and many of them seemed to be linked to
**SOHO routers, mostly** [Pakedge routers at the time. With that observation, we investigated](https://pakedge.com/)
more deeply to see if we could find more infrastructure and implants used by this intrusion
set.

## A brief on the APT31 creature


-----

APT31 (aka Zirconium or Judgment Panda) is an Advanced Persistent Threat group whose
mission is likely to gather intelligence on behalf of the Chinese government. Similar to other
nation-state actors, the group is focusing on data of interest to the PRC (People’s
Republic of China) and its strategic and geopolitical ambitions, rather than on specific
verticals.

**The Chinese adversaries are considered some of the most prolific state-sponsored**
**cyber actors on the planet. According to Microsoft’s observations, from July 2020 to June**
2021, China-based threat actors displayed the strongest interest in targeting critical
[infrastructure among all the other nation-state threats⁴.](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi)

_Figure 1. A timeline of the publicly reported APT31-related campaigns_

As shown in Figure 1 and in alignment with available public reports, APT31 has been active
since at least 2013 and its 2021 campaign targeting numerous French entities is still
ongoing.

## BR|INT APT31

[Download PDF version](https://info.sekoia.io/hubfs/%5BMarketing%5D%20-%20Ebook-analyse/BRINT%20APT31.pdf)

Even if the public literature on this intrusion set is quite limited, APT31 is known to use —
among others vectors — spear phishing to get a foothold in the victims’ networks. Although
**their recent campaigns weren’t technically sophisticated, they succeeded in bypassing**
network defences by employing only legitimate websites and services to host their implants
(GitHub) and interact with them once executed on the victims’ workstation (use of
[DropBoxAPI)⁵. It has also been spotted targeting organizations via SQL injection attacks, as](https://www.zscaler.fr/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online)
well as leveraging stolen credentials to gain initial access.

**APT31 and other Chinese state–backed actors have been lately the object of several**
**European governments’ attribution statements. Back in July 2021, the UK accused the**
[Chinese Ministry of State Security (MSS) of supporting the APT31 group’s activities⁶. At](https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking)
nearly the same time, the EU detected malicious cyber activities with significant effects that
**[targeted key European industries and linked them to APT31⁷. In both cases, official](https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/)**
statements mentioned APT31 alongside another Chinese attacker group — APT40.


-----

Moreover, authorities suspect APT31 to be a group of contractors working directly for
**China’s MSS, or even members of the People’s Liberation Army (PLA) Strategic Support**
Force, as reported by other sources.

[Discover our CTI and XDR products](http://sekoia.io/en/contact/)

## Hunting in the APT31 infrastructure footprints

APT31 is one of the few intrusion sets known to have been seen compromising SOHO
routers to compose its operational infrastructure, since at least November 2019, date on
which a sample of the backdoor used on compromised routers was uploaded to VirusTotal
for analysis (MD5: 77c73b8b1846652307862dd66ec09ebf). However, this implant can be
much older as there is no compilation date associated with ELF files.

The Operational Relay Boxes (ORB) associated with this infrastructure are used as proxies
for frontal attacks, active and passive reconnaissance and also as command and control
servers for several implants. Till today, we don’t know how they compromised these
**routers. It is likely that they used a mix of known and unknown vulnerabilities to achieve**
remote code execution in order to drop their implants and other redirector tools.

We found ways and heuristics to illuminate some parts of their infrastructure and track it over
time. The C2 domains used by this intrusion set have several characteristics such as:

Patterns: lots of domains had technical strings such as “update”, “check”, “cloud” or
“service” along with some IOT/router’s brands (Mikrotik, Netgear, Qnap, Nec).

DNS configuration: most of them don’t resolve anything without an appropriate
subdomain such as “www”, “api”, “sso” etc.

DNS providers: APT31 mainly uses four DNS providers: Monovm, Cloudflare, Topdns
and most recently Hosteons, which we’ve seen used only for two domains so far.

Fake registrant and associated email: the name is mostly composed like a real name
(eg. Joseph Edwards) with an associated email address using protonmail.ch, email.cz,
post.cz or inbox.lv.

The resolution timeframe of these domains doesn’t exceed a few days, which is also
relevant from an analyst’s point of view.

As the domains were resolving to SOHO routers, it was also possible to track them using this
particularity. Indeed, it is relatively rare that a domain from these DNS providers points
**to some domestic autonomous systems.**


-----

On the other hand, the network appliances compromised by APT31 have technical
characteristics (eg. administration panels, specific certificates or banners) allowing anybody
to recover thousands of IP addresses using them. By using passive DNS resolutions on
these IP addresses, it was possible to discover new C2s when an observed FQDN pointing
to them had the previously mentioned characteristics.

Finally, we discovered nearly 50 IP addresses and 34 domain names following ANSSI’s
publication, with an overlap of one IP address resolved by the domain www.fwcheck[.]com.
The table below summarises the brands of network appliances that composed the C2
infrastructure used by APT31 until July 2021. The confidence value depends on the number
of heuristics (explained above) that matched as well as on whether other sources already
mentionned the C2 or not.

**Brand seen on C2** **Number of C2s** **Confidence**

Pakedge 41 High

CyberOAM 3 High

Netgear VPN firewall 2 Low

D-LINK 1 Low

Others 5 Low

Since July 2021, we have observed a shift in their infrastructure. They left their historical
**“Pakedge infrastructure” and moved it to new clusters composed this time of several other**
brands and nameservers in order to avoid infrastructure illumination by analysts.

Since then, it has become more difficult to follow their tracks although we can still see
several new C2s such as neccloud[.]net — resolving to 5.252.176[.]102, a server under the
MivoCloud umbrella — or netgearcloud[.]net, resolving to a domestic IP address based in
Sweden on September 22, 2021. We link these domains to APT31 with high confidence as
they match most of the infrastructure heuristics established during the investigation.

However, it’s worth noting that not all their Operational Relay Boxes are resolved by domains
names. Thenceforth, the IoCs list provided at the end of this blogpost is obviously nonexhaustive and shows only a small fraction of their operational infrastructure used for
attacks in 2021.

Webinar : How to improve the Analyst Experience with Sigma Correlation

Date : May, 31st – 4:00pm

**[SIGN IN](https://hubs.la/Q01bN6SD0)**


-----

## Implants seen during the walk

By looking at the implants connecting to this infrastructure in open source, we have been
**able to get several implants, that we assess were used by APT31 during their operations,**
such as Cobalt Strike beacons and an ELF implant dubbed “unifi-video” (MD5:
4640805c362b1e5bee5312514dd0ab2b), impersonating a well known IOT brand.

_Figure 2. Links between some APT31 campaigns, indicators and malware/tools from_
_[SEKOIA.IO Intelligence Center.](https://app.sekoia.io/intelligence/objects/intrusion-set--89f742c4-1479-4909-a348-b146bc92d28d)_

Among standard red-teaming tools, APT31 seems to be using Cobalt Strike as an n-stage
implant to persist inside the victim’s network. As shown in the table below, several beacons
connecting to the “Pakedge infrastructure” have been sent to VirusTotal packed in a PE to
VirusTotal. It is worth noting that as they have been packed in an executable file, the
**corresponding hash can’t be used to hunt for APT31 in your network.**

**Packed beacons MD5 hashes** **Associated C2**

f707759e05ab58296071ec50cc04c9fc fdexcute[.]com


-----

**Packed beacons MD5 hashes** **Associated C2**

dc30a177a104717d652a49887851f033 api[.]ontracting[.]com

362057b23605d83130bdeac749d404f2 www[.]cypolicy[.]com

0d71876ba535cde68c21aa9b3bb063d1 www[.]winservicecloud[.]com

Last but not least, our Cobalt Strike trackers spotted two Cobalt Strike listeners on the
discovered infrastructure:


**Brand seen on C2**


**Number of**
**C2s** **Description**


www[.]gsncloud[.]com 68.146.18[.]127 Cobalt Strike Malleable C2 Jquery profile from
22/03/2021 to 29/04/2021

api[.]tfhjugo[.]com 83.81.73[.]23 Cobalt Strike default headers on port 443 from
21/04/2021 to 17/05/2021

Unfortunately, the configurations associated with the discovered Cobalt Strike beacons are
pretty common and prevented us from getting more discriminant indicators linked to their use
of Cobalt Strike.

[During the hunting, we found an ELF implant on VirusTotal⁸ which matched the C2 —](https://www.virustotal.com/gui/file/e1999a3e5a611312e16bb65bb5a880dfedbab8d4d2c0a5d3ed1ed926a3f63e94/details)
hardcoded in the sample — www[.]moperfectstore[.]com. We attribute this domain with
**medium to high confidence to APT31 as it resolved to Pakedge and CyberOAM**
appliances and matches some domain heuristics described above. As the domain didn’t
have any existence prior to 2021, we assess with medium to high confidence that the implant
was used by APT31.

This implant, dubbed “unifi-video” (MD5: 4640805c362b1e5bee5312514dd0ab2b), is a
statically-linked stripped 64bits ELF. Unifi-video is a well known legitimate software that
describes itself as a “Centralized management system for Ubiquiti UniFi surveillance
cameras”. It therefore echoes the compromised-appliance infrastructure used by APT31.

When analysing the file we noticed several routines overlapping with a known minimalistic
Unix backdoor named Rekoobe which was covered previously by a few cybersecurity
[vendors such as Dr Web⁹ and Intezer¹⁰.](https://vms.drweb.com/virus/?i=7754026&lng=en)

However, several questions remain unanswered regarding the real APT31 and Rekoobe
connection.

First, we don’t know at the time of writing whether Rekoobe’s source code is shared between
different threat actors or if Rekoobe has been operated by APT31 since it was first
discovered in 2015. Moreover, if APT31 operated this sample of Rekoobe, there is no


-----

**indication whether this implant is used in the infrastructure or to persist in an**
**appliance of a final victim, somewhere.**

ERRATUM (12/11/2021): While we initially thought that the implant
(4640805c362b1e5bee5312514dd0ab2b) was linked to Rekoobe, the security researcher
[Billy Leonard pointed out on Twitter [Billy Leonard’s tweet] that it was actually Tiny SHell](https://twitter.com/billyleonard/status/1458531997576572929)

[[GitHub repo] which we definitely agree. Tiny SHell has been used by multiple threat actors](https://github.com/creaktive/tsh)
since several years now and it is not surprising to see APT31 using it.

[Discover our CTI and XDR products](http://sekoia.io/en/contact/)

## Conclusion

Despite the lack of open source literature on this intrusion set, APT31 remains a prolific
**threat for years for many occidental entities working on government and strategic**
**issues. As of today, we don’t have a clear view of what they are looking for once they**
compromised the networks if it is for pre-positioning or data theft.

This blog post aimed to disclose some of their operational infrastructure and tools used this
year so that you can look for possible compromises in your networks.

If you are also investigating APT31, don’t hesitate to share your thoughts with us at
threatintel@sekoia.fr to better understand and track down their infrastructure.

## External references

**¹** [Bedrohung deutscher Stellen durch Cyberangriffe der Gruppierung APT31](https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/2021/bfv-cyber-brief-2021-1.pdf)

**²** [MVISION Insights: Potential APT31 Activity Against Political Targets,](https://kc.mcafee.com/corporate/index?page=content&id=KB94370)

**³** [Campagne d’attaque du mode opératoire APT31 ciblant la France](https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003/)

⁴ [FY21 Microsoft Digital Defense Report](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi)

⁵ [APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services](https://www.zscaler.fr/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online)

⁶ [UK and allies hold Chinese state responsible for a pervasive pattern of hacking](https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking)

⁷ China: Declaration by the High Representative on behalf of the European Union urging
[Chinese authorities to take action against malicious cyber activities undertaken from its](https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/)
territory

⁸ [Sample 4640805c362b1e5bee5312514dd0ab2b](https://www.virustotal.com/gui/file/e1999a3e5a611312e16bb65bb5a880dfedbab8d4d2c0a5d3ed1ed926a3f63e94/details)

⁹ [Linux.Rekoobe.1](https://vms.drweb.com/virus/?i=7754026&lng=en)


-----

⁰ [Linux Rekoobe Operating with New, Undetected Malware Samples](https://www.intezer.com/blog/malware-analysis/linux-rekoobe-operating-with-new-undetected-malware-samples/)

## Tactics, Techniques and Procedures (TTPs)

Exploit Public-Facing Application (T1190)
Non-Application Layer Protocol (T1095)
Application Layer Protocol (T1071)
Process Injection (T1055)
Phishing (T1566)
Compromise Infrastructure (T1584)
Acquire Infrastructure (T1583)
Develop Capabilities: Malware (T1587.001)
Obtain Capabilities: Malware (T1588.001)

## IoCs

The IOCs are provided “as is”. Even if the domain names are a reliable way to hunt APT31 in
your network logs, the IP addresses can produce false positives as they rely mostly on legit
home routers. All the IOCs can be downloaded in JSON STIX2.1 and CSV formats on the
SEKOIA.IO Github: [https://github.com/SEKOIA-IO/Community/tree/main/IOCs](https://github.com/SEKOIA-IO/Community/tree/main/IOCs)

### Domain names


-----

```
netgearcloud[.]net
neccloud[.]net
netgear-update[.]com
www[.]netgearupdatecheck[.]com
ns[.]netgear-update[.]com
www[.]winserviceupdate[.]com
winserviceupdate[.]com
www[.]pi-hole[.]us
www[.]qnapphoto[.]com
update[.]hardis-software[.]com
www[.]moperfectstore[.]com
info[.]miksupport[.]com
api[.]ontracting[.]com
www[.]fwcheck[.]com
portal[.]icb-transer[.]com
www[.]cypolicy[.]com
remotetimecheck[.]com
api[.]tfhjugo[.]com
www[.]camupdatecheck[.]com
www[.]jsonamazon[.]com
www[.]serverupdatecheck[.]com
www[.]nas-timesync[.]com
www[.]mikupdate[.]com
www[.]mikrotikupdate[.]com
www[.]winservicecloud[.]com
www[.]sophosfwupdate[.]com
www[.]deviceupdatecheck[.]com
sso[.]futuremixed[.]com
futuremixed[.]com
support[.]deviceupdatecheck[.]com
www[.]figaro-news[.]com
www[.]switch-netgear[.]com
www[.]veritasdiag[.]com
fdexcute[.]com
www[.]fdexcute[.]com
www[.]miksupport[.]com
status[.]veritasdiag[.]com
www[.]deviceupdatesupport[.]com
www[.]keys-networks[.]com
srv[.]keys-networks[.]com
keys-networks[.]com
www[.]oslookup[.]com
www[.]gsncloud[.]com

### IP Addresses

```

-----

```
213[.]21[.]100[.]188
108[.]46[.]133[.]103
108[.]54[.]184[.]30
116[.]86[.]137[.]232
158[.]174[.]170[.]19
184[.]75[.]129[.]113
185[.]129[.]252[.]187
185[.]130[.]165[.]59
185[.]89[.]55[.]24
185[.]96[.]198[.]75
188[.]165[.]73[.]52
189[.]121[.]150[.]254
213[.]238[.]234[.]249
217[.]210[.]180[.]113
217[.]211[.]53[.]251
45[.]147[.]229[.]194
50[.]71[.]100[.]164
58[.]182[.]61[.]137
58[.]96[.]237[.]98
71[.]64[.]151[.]132
73[.]229[.]137[.]54
78[.]82[.]247[.]37 
81[.]227[.]88[.]108
81[.]232[.]51[.]161
81[.]234[.]227[.]62
81[.]236[.]182[.]199
81[.]83[.]4[.]48
82[.]127[.]26[.]151
82[.]136[.]76[.]142
83[.]253[.]189[.]234
83[.]81[.]73[.]23
84[.]23[.]132[.]127
85[.]166[.]160[.]50
85[.]226[.]191[.]68
85[.]229[.]70[.]242
86[.]4[.]247[.]233
88[.]129[.]239[.]96
88[.]129[.]39[.]248
88[.]88[.]141[.]177
89[.]31[.]225[.]131
89[.]31[.]228[.]228
89[.]31[.]228[.]238
90[.]224[.]137[.]58
91[.]117[.]133[.]53
91[.]235[.]247[.]248
93[.]240[.]145[.]166
95[.]236[.]16[.]215
95[.]34[.]0[.]182
96[.]89[.]114[.]192
98[.]128[.]185[.]162
99[.]252[.]170[.]14
68[.]146[.]18[.]127
5[.]252[.]176[.]102

### Yara Rules

```

-----

```
rule unk_apt31_tsh_2021 {
  meta:
    description = "Detect APT31-linked TSH sample. This rule is quite specific
with the $s3 string. We would advise removing this string to cover other TSH
samples."
    version = "1.0"
    creation_date = "2021-10-11"
    modification_date = "2021-10-11"
    classification = "TLP:WHITE"
    hash = "4640805c362b1e5bee5312514dd0ab2b"
    source="SEKOIA.IO"
    version="1.0"
  strings:
    $s1 = { C6 00 48 C6 40 05 49 C6
    40 01 49 C6 40 06 4C C6
    40 02 53 C6 40 07 45 C6
    40 03 54 C6 40 08 3D C6
    40 04 46 C6 40 09 00 }
    $s2 = { C6 00 54 C6 40 03 4D C6
    40 01 45 C6 40 04 3D }
    $s3 = "www.moperfectstore.com"
  condition:
    int32be(0) == 0x7f454c46 and
    filesize < 1MB and filesize > 900KB and
    all of them
}
rule apt_misp_apt31_orb_2021 {  
  meta:
    description = "Detects APT31 ORB implant"
    version = "1.0"
    creation_date = "2021-10-11"
    modification_date = "2021-10-11"
    classification = "TLP:WHITE"
    hash = "77c73b8b1846652307862dd66ec09ebf"
      source="SEKOIA.IO"
    version="1.0"
  strings:
    $s1 = "mv -f %s %s ;chmod 777 %s"
    $s2 = "GET /plain HTTP/1.1"
    $s3 = "exc_cmd time out"
    $s4 = "exc_cmd pipe err"
    $s5 = { 2e 2f [1-10] 20 20 64 65 6c }
  condition:
    int32be(0) == 0x7f454c46 and 
    filesize < 800KB and     filesize > 400KB and 
    4 of ($s*)
}

## Chat with our team!

```

-----

Would you like to know more about our solutions? Do you want to discover our XDR and CTI
products? Do you have a cybersecurity project in your organization? Make an appointment
and meet us!

**[Contact us](https://www.sekoia.io/en/contact/)**


-----