The GreenSpot APT group, active since 2007 and believed to be based in Taiwan, targets entities in China, utilizing phishing campaigns aimed primarily at stealing login credentials from users of the 163.com email service. The group registers deceptive domains to impersonate legitimate services, hosting malicious login pages and download services to lure victims. Affected: Government entities, academic institutions, military, 163.com email users
Keypoints :
- The GreenSpot APT group has been active since at least 2007 and operates from Taiwan.
- Targets include government, military, and academic entities in China, mainly through phishing attacks.
- 163.com, a free email service, has been a frequent target for credential theft.
- Deceptive domains are registered to mimic 163.com services, hosting malicious login pages.
- Phishing infrastructure indicates links to GreenSpot due to similar patterns and registration methods.
- JavaScript code on malicious pages dynamically redirects users and potentially captures credentials.
- Malicious download services pressure users to enter credentials under the guise of downloading documents.
- The campaign illustrates risks that free email services pose without enhanced security features.
- Recommendations include enabling multi-factor authentication and monitoring for unusual domain activity.
MITRE Techniques :
- Phishing (T1566) – The group utilizes phishing campaigns to harvest user credentials.
- Domain Fronting (T11765) – They register deceptive domains that mimic legitimate services.
- Credential Dumping (T1003) – The campaign aims to capture login credentials through malicious forms.
- Exploitation of Public-Facing Application (T1190) – They exploit web interfaces to harvest user data.
Indicator of Compromise :
- Domain: mail[.]ll63[.]net
- Domain: mail[.]eco163[.]com
- IP Address: 139.162.62[.]21
- Domain: l2024163[.]com (malicious download page)
- IP Address: 198.13.56[.]201
Full Story: https://hunt.io/blog/greenspot-apt-targets-163com-fake-downloads-spoofing