The cert of Malaysia made an advisory the 5th february.
It’s published many TTPs and IOCs on this group:
There is many links interessisting:
the first are this IP 195.12.50.168 and 167.99.72.82. In my yeti, I found many relative observables on it:
hxxp://195.12.50.168/D2_de2o@sp0/ and hxxp://167.99.72.82/main.dotm
this Urls were used by a campaign discovered by ClearSky
a file named "Timelines - ECRL.docx" (likely referring to the Malaysian "East Coast Rail Link" project), uses template injection to load a macro from 167.99.72\.82. The macro drops an unknown dll backdoor and side-loads it via MsMpEng.exe. Than it beacons to C2 at 195.12.50\.168
targeting Malaysia. The victimology is interesting because it’s concerning transport industry.
Another link interesting with this advisories is the link wit another campaign in November
https://app.any.run/tasks/ed03d492-688e-4182-9a06-6f65d8cb18fc/
found by
DADJOKE loader from Malaysian attacks linked to TEMP.Periscope #APT group: 8a133a382499e08811dceadcbe07357e accountsx.bounceme[.]net https://t.co/jigxWdiabz #Leviathan #APT40
Malware used here is Dadjoke.
APT40 is an active Chinese group in South Asia, near of the MSS (Intelligence Service of China) according Intrusion Truth https://intrusiontruth.wordpress.com/2020/01/16/apt40-is-run-by-the-hainan-department-of-the-chinese-ministry-of-state-security/
Article Link: APT 40 in Malaysia. The cert of Malaysia made an advisory… | by Sebdraven | Medium