In our last post we showed how, through WHOIS data, it is possible to identify Wu Yingzhuo, an APT3 operator who registered domain names for the group and advertised online offering help with Trojan development.
The story finished with http[.]net, a domain name that we showed was connected to APT3, and that was registered to Yingzhuo Wu. In this post we will show how the trail continues and allows us to identify a second APT3 member, Mr Dong.
From httb to biglit
DNS research on httb[.]net reveals a second IP address: 61.129.67[.]53. Three other interesting domains have previously resolved to it. They are vcersoft[.]com, uyre[.]net and inc-work[.]com.
Note also the inclusion of ciscocorp[.]com in the list above – it is one of the domains associated with the wyz5678[at]163.net address associated with Wu Yingzhuo.
Looking at the three newly identified domains, WHOIS information for all three includes a new e-mail address, biglit[at]gmail.com.
From biglit to tianyu
The biglit e-mail address appeared in registration information for a number of other domains, including microsoft-ie[.]com. Historic WHOIS information for this domain includes the e-mail address tianyu12[at]msn.com.
And back to biglit
In addition to the microsoft-ie[.]com domain, the tianyu12 e-mail address also appeared in registration data for unixfocus[.]net. But tianyu12 was not the only e-mail address that appears in historic registration data for the domain. A previous address was biglit[at]163.net, similar to the biglit g-mail address mentioned earlier.
Completing the chain, the new biglit address appeared in the WHOIS information for another new domain: shuyan[.]com. And the name that appeared in the shuyan registration record was … Dong Hao.
So, from the httb[.]net domain identified in our last post and registered by Wu Yingzhuo, we have followed a chain through a server in Shanghai, vcersoft[.]com, microsoft-ie[.]com and unixfocus[.]net to find Dong Hao, a second APT3 operator involved in registering domain names.
But who are Wu Yingzhuo and Dong Hao? We will reveal soon exactly where they work, and from whom they receive their orders. Read our next post for more truth behind this intrusion.