The menuPass Sample
Hidden on Page 24 of the FireEye report referenced in our previous article, is the start of a thread that, if pulled, leads to more APT10 individuals. It is a Poison Ivy sample (b08694e14a9b966d8033b42b58ab727d). The sample connects to a C2 server at js001.3322[.]org. Incidentally, the connection password used by the sample is “xiaoxiaohuli”, Chinese for “littlelittlefox” (小小狐狸), a useful data point that helps to confirm the connection to China.
js001.3322[.]org to 222.35.137[.]193
In 2010, around the time of this APT10 activity, the domain js001.3322[.]org resolved to IP address 222.35.137[.]193 , an IP address in Beijing, China.
The IP address 222.35.137[.]193 has other connections to APT10 too. A search of other domains that have resolved to the IP reveals that weile3322b.3322[.]org resolved to the IP between 23 January 2010 and 15 February 2012. The weile3322b domain is listed as an APT10 domain in commercial threat intelligence reporting. The IP address can therefore be said to have been associated with APT10 for a significant period of time.
222.35.137[.]193 to Tianjin, China
Analysis of a further Poison Ivy malware sample (a4754be7b34ed55faff832edadac61f6) from early 2010 indicates that it connected to the same 222.35.137[.]193 IP address in Beijing. This malware was initially distributed in an e-mail phishing campaign originating from masao_tomikawas[at]yahoo.com. There is a complete analysis available at Contagio.
Inspection of the SMTP headers for the original e-mail campaign reveals the originating IP address of the campaign, 218.67.128[.]26. That IP address resolves to China Unicom in Tianjin. Whoever is behind APT10, therefore, could well be based in Tianjin.
Also hidden in the SMTP headers of the spam e-mail is the hostname of the computer that submitted the e-mail – fisherxp-pc[.]domain. fisherxp is a relatively unique name that we believe has been used by one of the APT10 actors for some time.
Twitter account @fisherxp was registered in January 2010 and has posted 11 times. Most are hacking or information security related retweets in English or Chinese.
In further confirmation of the account owner’s association with (or at least interest in) APT10, the account began following @intrusion_truth the day after this blog exposed APT10 actor Zheng Yanbin.
@fisherxp is also a valid Tencent Weibo QQ account containing a photo of, presumably, the owner of the account.
The QQ feed contains years worth of postings. Amongst them is a photograph of a car belonging to the owner of the feed. It had been involved in an accident and bears Tianjin license plates.
The same photograph of the individual is associated with the ‘fisherxp’ account on a Wayback Machine copy of a website for natives of Shandong province now living in Tianjin.
Some years ago, in a post (since removed) on job.51cto.com, a user using the username fisherxp posted a job advert for the Tianjin Huaying Haitai Science and Technology Development Company (天津华盈海泰科技发展有限公司). The poster used the name ‘Mr Gao’ and telephone number +86 150 22550833.
Unfortunately the fisherxp account was removed from the job section of the website before Intrusion Truth could obtain a screenshot. Never-the-less an associated account with the same username remains on other parts of the site.
The name Gao and the same telephone number were also previosuly used online as contact details for Laoying Baichen Instruments Equipment Co. A Mr Gao listed as the contact and the address is given as Room 1102, Guanfu Mansion, 46 Xinkai Road, Hedong District, Tianjin (天津市河东区新开路46号冠福大厦1102).
The postcode of the Guanfu Mansion on Xinkai Road is 300011, as confirmed by several unrelated postings online relating to different companies in the same building. The 300011 postcode will prove important later.
Identifying an individual in Tianjin with the surname Gao isn’t easy, But cyber threat intelligence analysts following APT10 closely, and working with this blog, have confirmed that the photo of fisherxp shown above was previously used online by Tianjin resident Gao Qiang, including on his Facebook page.
In summary, fisherxp, a username probably used by Gao Qiang, was associated with hacking activity linked to known APT10 command and control servers. He is based in Tianjin, China and has probably worked for at least two companies in the city.
One thought on “Who is Mr Gao?”
Comments are closed.