|
APT36 or Earth Karkaddan is an advanced persistent threat (APT) actor group targeting various government entities, most especially those based in India. The web properties they use for campaigns include only a few domains and IP addresses along with related malware hashes as indicators of compromise (IoCs).
Organizations that wish to block all possibly related domains, email addresses, and IP addresses may find it difficult. Tracking all those web assets down is tedious and time-consuming, not to mention likely impossible, for entities without dedicated cybersecurity teams or the resources to do so.
WhoisXML API researchers have attempted to uncover APT36’s digital footprint in this study, which found:
As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated the pertinent data and made it available to anyone interested. You may download the related threat research materials here.
At least two of the published reports on APT36 or Earth Karkaddan (by Trend Micro and AlienVault) provided two domains and IP addresses each related to the threat. We used those malicious web properties as search terms for various WHOIS, IP, DNS, and other threat intelligence tools to get our more in-depth investigation going.
We began by looking at the WHOIS records of the two domain IoCs. That led to the discovery of an unredacted domain registrant email address.
Using that email address as a reverse WHOIS search term uncovered at least 10,000 domains that could have ties to APT36 or Earth Karkaddan. These digital properties include:
A bulk malware check on Threat Intelligence Platform (TIP) revealed that 68 of these possibly connected domains are dubbed “dangerous” by various malware engines. Examples are:
Note the usage of common search terms people at work may use. Employees searching for general news or information may unknowingly land on pages that host CapraRAT or Android RAT, the malware APT36 or Earth Kardakkan actors use to infiltrate their target networks. Those who mistype facebook[.]com or who wish to know more about Microsoft Office products can easily fall victim too.
Those were, however, not the only potentially connected artifacts we found. Subjecting the two domain IoCs to DNS lookups gave us their IP address resolutions—204[.]11[.]56[.]48 and 205[.]144[.]171[.]198. Using these as reverse IP search terms led us to discover an additional 599 possibly connected domains. Examples include:
While none of them are currently tagged “malicious,” the fact that they share the domain IoCs’ IP addresses means they are at least worth monitoring to ensure utmost security.
As this study showed, no IoC list is ever complete or as exhaustive as we may think. It’s always worth exerting extra effort to dig deeper into publicized IoCs because they can lead to the discovery of thousands or other web properties that could put your network at great risk of becoming the next APT36 or Earth Kardakkan victim in this case.
If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byCSC