Home / Industry

Stately Taurus APT Group Targets Asian Countries: What Do the Campaign IoCs Reveal?

A decade-old advanced persistent threat (APT) group called “Stately Taurus,” also known as “Mustang Panda” and “Earth Preta,” was recently observed targeting Association of Southeast Asian Nations (ASEAN) countries in cyberespionage activities. Specifically, Palo Alto Networks observed two malware packages that may have been used to target Japan, Myanmar, the Philippines, and Singapore. The threat group used these packages on 4—5 March 2024, around the same days the ASEAN-Australia Special Summit was held.

Building on lists of indicators of compromise (IoCs) published by Palo Alto Networks and Trend Micro comprising eight subdomains, 13 domains (including six extracted from the subdomains tagged as IoCs), and 15 IP addresses, the WhoisXML API research team uncovered:

  • 61 email-connected domains
  • Four additional IP addresses
  • One IP-connected domain
  • 67 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download on our website.

Stately Taurus IoC Profile and Analysis

When analyzing an attack infrastructure, our usual first step is to gather the WHOIS details of the domains tagged as IoCs. For Stately Taurus, we did a bulk WHOIS lookup for 13 domains, six of which were extracted from the 8 subdomains found on the IoC list. We uncovered the following details:

  • Four registrars administered them—NameCheap, Inc. with six domains; NameSilo LLC with five domains; and Cool River Names LLC and Hosting Concepts with one domain each.
  • The oldest domain was registered in August 2022 while the newest was created in February 2024. Nine of the domains were created in 2023, three in 2022, and one in 2024.

  • Their registrations were spread across four registrant countries—six domains in Iceland, five in the U.S., and one each in France and the Netherlands.

The next step was to subject the 15 IP addresses tagged as IoCs to a bulk IP geolocation lookup, leading us to discover that:

  • The IP addresses were geolocated across seven countries. Seven originated from China; three from the U.S.; and one IP address each from Malaysia, Singapore, Spain, India, and Australia.
  • They were controlled by eight ISPs. Four IP addresses were under XNNET LLC and one each was administered by TheGigabit, M247, The Constant Company, DigitalOcean, Cloudie, MultaCOM, and xTom Japan. Four IP addresses were possibly unassigned.

Stately Taurus IoC Expansion

After analyzing the attack infrastructure of the APT group, we expanded the lists of IoCs to obtain additional threat artifacts or web properties that could be connected to Stately Taurus.

WHOIS History API searches for the domain IoCs led us to discover 38 email addresses in their historical WHOIS records, eight of which were public. Reverse WHOIS API revealed that these public email addresses appeared in the current WHOIS records of 61 domains.

For our next step, we ran DNS lookups on the seven domains and eight subdomains tagged as IoCs to obtain their IP resolutions. This led us to discover four additional IP addresses.

Performing IP geolocation lookups on the four IP addresses revealed that:

  • They can be traced to different countries, specifically Malaysia, the Netherlands, Germany, and China.
  • They were administered by three ISPs. EstNOC managed two IP addresses and GB Network Solutions and Amazon.com controlled one each.

We also ran the four additional IP addresses on Threat Intelligence API, revealing that they were all associated with various threats. The table below shows a couple of examples.

IP ADDRESSESASSOCIATED THREAT TYPES
103[.]28[.]91[.]193Malware
3[.]64[.]163[.]50Command and control (C2)
Phishing
Malware
Spam

Next, we subjected the 15 IP addresses tagged as IoCs and four additional IP addresses (i.e., 19 IP addresses in total) to reverse IP lookups, which showed that two were potentially dedicated. They led to only one IP-connected domain after removing duplicates, the IoCs, and the email-connected domains.

Finally, we analyzed the IoCs’ string usage, focusing on finding other domains containing the text strings used in the domain IoCs. To do that, we used the following search parameters and strings on Domains & Subdomains Discovery and found 67 string-connected domains.

  • Starts with electric and contains tulsa
  • Starts with iviber
  • Starts with meet and contains viber
  • Contains viber and api.
  • Starts with getfiledown
  • Starts with getfilefox
  • Starts with estmongolia
  • Starts with openservername
  • Starts with nerdnooks
  • Starts with daydreamdew
  • Starts with comsnews
  • Starts with bonuscave
  • Starts with markplay.

Meanwhile, we noticed that most of the third-level domains of the subdomains tagged as IoCs were generic tech-related terms, such as images, web, news, ai, and www. A wildcard search on Threat Intelligence API revealed that these strings that appeared in the IoCs also showed up in hundreds of other IoCs involved in malware, phishing, and various threats. Some examples are shown in the table below.

TEXT STRINGNUMBER OF IoCs CONTAINING THE STRING
images.*225
web.*801
news.*501
ai.*123
www.*10,000

A similar search on Threat Intelligence API using the strings that appeared in the domain IoCs revealed that there are already 31 IoCs containing the string viber and 75 starting with the string getfile.


Our investigation of the IoCs associated with the recent Stately Taurus APT campaigns began with eight subdomains, 13 domains (six of which were extracted from the subdomains tagged as IoCs), and 15 IP addresses.

After digging through their WHOIS details, IP geolocation data, and string usage, we found more than 130 connected artifacts comprising 61 email-connected domains, four additional IP addresses, an IP-connected domain, and 67 string-connected domains.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global