Trusted Design

KingKong.dll - Recent PoisonIvy and PlugX variants targeting South East Asia

概要

(Description updated in 2018) The Vietnamese government published a brief analysis of spearphishes it had encountered in 2017, such as APEC-SMEWG Strategic Plan 2017-2020.doc. This pulse includes indicators from this analysis, and indicators from other campaigns that employ related malware. The attackers deliver malware through topically titled spearphises, for example Energy_Data_Meeting_fall_2016. Many documents call out to tetrasecured[.]com/word/webstat/image.php?id= (sinkholed by AlienVault) to track when when they are opened. This domain also contains pages to phish credentials for popular online mail providers such as Gmail and Yahoo. It is likely these spearphishes are generated via a builder - so attribution to an exact group of attackers may be incorrect. Recent variants drop distinctively named malware such as KingKong.dll.

Created: 2026-02-23

Indicators

• URL - http://cgi.vietnamplos.com/9B786BDE4015A2D683FAF6C7 -
• URL - http://cgi.dcsvn.org/E8A1A7496696350CA2262423 -
• URL - http://cgi.vietnamplos.com/AEEC3EAB5EBBFF91623461B0 -
• hostname - news.vietnannet.com -
• FileHash-SHA256 - ad6c355c7fce56ff5675ed837e7932d38addcb35bc327d2c19616e5a5b132b44 -
• URL - http://www.meifushuo.com/NB_Server.exe -
• URL - http://cgi.vietnamplos.com/C18F42D2D413F13B91B01568 -
• URL - http://dalat.dulichovietnam.net:8001/277a757c6d6b31077a101266000476760700060e0000000400003237374137353743364436423331303700414e414c595354302d32443136373100000000000000000000000000000057696e5850205370332078383600000000000000000000000000000000000241646d696e69737472617 -
• URL - http://tetrasecured.com/ -
• YARA - 0362d09db3b6211152684f637a37c6bd28f8fc09 -
• URL - http://vnnexpress.org/ -
• URL - http://cgi.dcsvn.org/DE93932448E8288555BEDE1A -
• FileHash-SHA256 - fbe90a1550440373d4f1158808ea442b46baabb22193288227b928fd45ebe17d -
• YARA - 92d75aba732d4b1ac087057aa9771f5fc0e2ae94 -
• URL - http://www.tetrasecured.com/onlinesecuredocs/ -
• URL - http://cgi.dcsvn.org/E4AC8D6A1A105F7026C18FBC -
• FileHash-SHA256 - 128adaba3e6251d1af305a85ebfaafb2a8028eed3b9b031c54176ca7cef539d2 -
• URL - http://cgi.vietnamplos.com/7C78CD8DC51B9784E6179477 -
• URL - https://dalat.dalat.dulichovietnam.net/ -
• hostname - o0.nbddos.com -
• FileHash-SHA256 - 6f04cf2922322248dfb9f3b778a897a058f5b9353af85d076298682f4123a3c3 -
• URL - http://cgi.vietnamplos.com/A3E6ED4FB11DF43A3C4BCE37 -
• URL - http://cgi.dcsvn.org/2A51B49072168E3A4C4A8D14 -
• URL - http://www.tetrasecured.com/site/webstat/image.php -
• hostname - www.tetrasecured.com -
• domain - dulichovietnam.net -
• hostname - aag.teenplusa.com -
• URL - http://cgi.vietnamplos.com/66FE2DF98288C6A076A1EF5A -
• domain - phapluats.com -
• FileHash-MD5 - 9910528d5559152d135a718cf9a1ce75 -
• hostname - www.olinaodi.com -
• URL - http://cgi.dcsvn.org/EA27409C8AF2EE773DAF265B -
• URL - http://www.tetrasecured.com/ -
• hostname - home.vietnamplos.com -
• hostname - cgi.vnnexpress.org -
• YARA - 6257c0fe2321591e47a4e09bb240fe4082b85934 -
• FileHash-SHA256 - 3f72d582c732da6cbfa662b929ae326d0f274fe24ed6cb552d2cb7572fbe8b24 -
• URL - http://www.tetrasecured.com/tetra/webstat/image.php?id=72693963 -
• URL - http://zdmkk.f3322.net:2017 -
• hostname - chinhphu.ddns.ms -
• FileHash-SHA256 - f157bd9e418b67a14cfe550adbcd0285e60b484c2458a19522f9b0d2c0bb7798 -
• URL - http://cgi.dcsvn.org/E096F229A3EA4B2360BF33D0 -
• hostname - www.dalat.dulichovietnam.net -
• hostname - home.dcsvn.org -
• URL - http://cgi.vietnamplos.com/EB78C732427722AEB8362C12 -
• FileHash-SHA256 - 43135bf55550883ff4e68759c11611d09af77cb64a71aeeffe0c443143394372 -
• URL - http://cgi.dcsvn.org/14A127FD14A68506C4054C21 -
• URL - http://cgi.vietnamplos.com/3DACCCEE6E9CA47642D4F868 -
• FileHash-SHA256 - 78aaac086e44858b0eaf23a98a4839bc994fde682987ebb285bb67fea9c2dcac -
• FileHash-SHA256 - abded6e58d3659dfe1e802ed8ad9ed9b1cc95ee12476f0e7ea14a8829cae059e -
• URL - http://hanoi.dulichovietnam.net/ -
• hostname - dns.vnnexpress.org -
• URL - http://cgi.dcsvn.org/C01E129775E245521093AFA1 -
• URL - http://cgi.vietnamplos.com/CF9ACAFA86CB92E15DF87C54 -
• FileHash-SHA256 - d5b39417d72c34888939a7cdf39eb114a7c7d91d65fea2b9bf3f39944c56d3d1 -
• FileHash-SHA256 - 5b8bc003ee53791f636c92ddc3ac9388d3ac76e6471cb87d33321326c37e51a1 -
• URL - http://dalat.dulichovietnam.net -
• hostname - microsoft.authorizeddns.us -
• URL - http://cgi.dcsvn.org/48DBDCF1D90B18D132F82A7F -
• hostname - news.vnnexpress.org -
• URL - http://cgi.vietnamplos.com/605926222D5502CBEA748FE3 -
• hostname - home.vnnexpress.org -
• hostname - news.phapluats.com -
• FileHash-SHA256 - bde1dd56d17ee453f7a8ecd3f03bdd2ca8adc0fa94a267964f8356c529f51593 -
• hostname - dalat.dalat.dulichovietnam.net -
• YARA - 5347b5f760a79a97b276a45bdcb2d732469feea0 -
• FileHash-MD5 - 2226b418a6f23122ad5f68b1eaf13298 -
• URL - http://dalat.dalat.dulichovietnam.net/ -
• URL - http://cgi.vietnamplos.com/CD12C47E9D00BCAC561D80D5 -
• hostname - cgi.vietnamplos.com -
• hostname - microsoft.https443.org -
• URL - http://cgi.vietnamplos.com/85C1E8967BCF5F17AC1E4DCB -
• YARA - ebfde182928e8576f52609e019be3b2dd59978f3 -
• URL - http://cgi.dcsvn.org/5970B8233EF2389A1C7E36D4 -
• URL - http://news.vnnexpress.org/index.php -
• FileHash-SHA256 - dcef9a677d21f330d961d14140162293fed70122e18d7d6d479bc3510893b40c -
• URL - http://cgi.vietnamplos.com/E2574F05843DC6561ECB9827 -
• URL - http://ww.tetrasecured.com/ -
• YARA - 8fcb6810a3203a05a94748496fe24a6c39a0cc27 -
• hostname - www.winupdate.ddns.ms -
• FileHash-SHA256 - 313fc68a41334bced3455782e675cfd6702b2883e4b95c43718ab3a3c620c429 -
• URL - http://www.tetrasecured.com/word/webstat/image.php?id=73933097 -
• hostname - aat.teenplusa.com -
• URL - http://o0.nbddos.com:86/r2.exe -
• FileHash-SHA256 - f6fa92edef47bf142b81cceb3c707c22d43498480430fd197cb5d090bc4ae8d3 -
• URL - http://dulichovietnam.net/ -
• FileHash-SHA256 - dda9f27ece44fe2339a571ce64fded30d5b14953e6015c71147377900240b223 -
• hostname - microsoft.serveusers.com -
• URL - http://dalat.dulichovietnam.net/ -
• URL - http://cgi.vietnamplos.com/5564121DCBD3798231714241 -
• FileHash-MD5 - 819000db80738206e465f18deb27edfc -
• domain - dcsvn.org -
• FileHash-SHA256 - 9eee7f6ab649d60485eaaf042a4830ba19a8fc6731b3c2b58f7ac94dc7f5d150 -
• FileHash-SHA256 - ff9842b7c17f17c2f7d705138d4f00d77f3fb43f1860a6bb44c63a59382b92b5 -
• domain - vnnexpress.org -
• FileHash-MD5 - 77d13e9f04dec82e670a5afda0f2f14a -
• URL - http://tetrasecured.com/word/webstat/image.php?id=73933097 -
• URL - http://cgi.dcsvn.org/76E5D3404DEF6A22BA7FB840 -
• FileHash-SHA256 - 57e6ba04381d0fac67e402eaf02259909d8f8baf70dd6bb517a889428fb3a329 -
• FileHash-SHA256 - 2148f4d94487e4ff8e7d4384afc1e64a2a09176b792912a7aa557f1ade03c9e3 -
• FileHash-SHA256 - 8208542b7f13b218067883f481e4b2b297a70d9eaaee10c93a41ddf33f07af73 -
• FileHash-SHA256 - 649ffe47bc6dce71a8db9796ee7bdb675691db5407ea4ab142642d79c2c2c3fb -
• URL - http://cgi.dcsvn.org/D0CEF43706A67A527BF0C6FA -
• URL - http://tetrasecured.com/host.exe -
• YARA - a0a8be8366ad0e1ae0cd451fbd31851ef462f16f -
• hostname - msdns.otzo.com -
• YARA - a016f965b91090a25c921a77506ca16825dcdc97 -
• FileHash-SHA256 - 54285d3db6cee82ee40f512ff123661b158e2f621e08707320619413f1b69cec -
• hostname - www.microsoft.https443.org -
• URL - http://cgi.vietnamplos.com/CFE8F9E9A001C872F6594E46 -
• hostname - cgi.dcsvn.org -
• URL - http://cgi.dcsvn.org/05C04FBD1BBA99622C023AF3 -
• email - stevemoore70@gmail.com -
• FileHash-SHA256 - 8f352d3bd039e0366171e5e78216d2bf8ea5399f597dbd67b9d5219d6aa4d1d0 -
• URL - http://cgi.vietnamplos.com/D51CA09E09B075958F5214FD -
• URL - http://cgi.dcsvn.org/55FB4E88ABB497E41927E459 -
• FileHash-SHA256 - ab190e88cf943bb318fd616e6d5df68c864176dac692102a331cfc181379d24c -
• hostname - shou.mpc.cn -
• URL - http://cgi.vietnamplos.com/C770265E3496DDFC1315E805 -
• FileHash-SHA256 - 5d9fb48037b61423d17325b9c5be592dc726e5b7e24e9876132eb5c477380847 -
• URL - http://cgi.vietnamplos.com/E8FA2FE383A69099443AB270 -
• URL - http://news.phapluats.com/ -
• FileHash-SHA256 - 5afbee76af2a09c173cf782fd5e51b5076b87f19b709577ddae1c8e5455fc642 -
• YARA - 7bd664e692170e8405f6256cf5916d17cb022e6d -
• FileHash-SHA256 - e2096b5bbc746d0c8fe416b2c7265ef2c29ecb7f36023ed28815a415058a8487 -
• FileHash-SHA256 - 15f4c0a589dff62200fd7c885f1e7aa8863b8efa91e23c020de271061f4918eb -
• YARA - 79409735bbcbe04a9659c5f8557489822f548406 -
• hostname - files.maintreeplus.com -
• hostname - web.jjcwa.com -
• URL - http://cgi.dcsvn.org/B3C0DB86FCE1C63137D9B7B9 -
• FileHash-SHA256 - e8181f199706e0f1c2158b1a0d16d2a899a1e5caf012554fbd9a7a6faca0dff6 -
• FileHash-MD5 - 2b350e9b8e06b13823b123f459a0e8c6 -
• hostname - wireshark.ignorelist.com -
• URL - http://cgi.dcsvn.org/F62E3DFD95CDFE579CF8193C -
• FileHash-MD5 - 5ca90fcaf73159d2355d1bbfdaf37237 -
• FileHash-SHA256 - a4b0b05a400a46602d4fbe582133e2646f11d33ba4737598bd4b13b11e621c4d -
• URL - http://cgi.dcsvn.org/B33AC03139895165309F252F -
• hostname - web.pkuch.com -
• FileHash-SHA256 - 518f86fb017538cb8007faa3f535a9ee9cfdca6a9f487635346bd68f72a8f858 -
• URL - http://cgi.dcsvn.org/F65D1C1EB931F20DFB49626E -
• URL - http://cgi.vietnamplos.com/315CD1E9204285BB3A1EF368 -
• FileHash-MD5 - 5df67ce8487d3a9950d669a9052c4f35 -
• domain - tetrasecured.com -
• YARA - 488c40a7a0082d34e24a9594a9e6cad148b7084a -
• URL - http://www.tetrasecured.com/onlinesecuredocs -
• URL - http://news.vnnexpress.org/ -
• FileHash-SHA256 - c67741dcd6edc300175fd09d1478eb98aa2a5a87f90792523d22bb1bad92df0f -
• hostname - web.qutac.com -
• YARA - b82e59e54dcf8054ef42172add315914bb964249 -
• URL - http://cgi.dcsvn.org/273355E3A6BCF23BCC235E66 -
• hostname - asia.dcsvn.org -
• YARA - b996cf8a0057f54f93bfb7dd7e94a2c0f03da259 -
• URL - http://www.dalat.dulichovietnam.net -
• FileHash-MD5 - aa381d31b906e547f020ac0040dfffcc -
• FileHash-MD5 - bc41f57ea481c94c97e8ff23735e141b -
• domain - vietnamplos.com -
• FileHash-MD5 - ea0ea8b16a636b4311b6afc5502326d2 -
• hostname - web.zues.info -
• URL - http://cgi.dcsvn.org/C8C63AB1978F809228599706 -
• FileHash-SHA256 - f830b1331f1f49dea56fc1198115b779bc8e24d883e3fb2caa080e80601d0211 -
• YARA - 1ac662fe53f95e4586bf2cbdd1eef113cfb62316 -
• hostname - ww.tetrasecured.com -
• FileHash-MD5 - 7d92f00c56200795b4426c49126f47b6 -
• hostname - dns.vietbaotinmoi.com -
• FileHash-SHA256 - 3e0e8ce30a89db40914c053589b7a8f4e8fbb4b28225b33f002400d5520d807e -
• hostname - www.meifushuo.com -
• YARA - eeddc2aeff1ae10bdc18e3e6bf701fb52849deef -
• hostname - dalat.dulichovietnam.net -
• hostname - mateng7410.3322.org -
• FileHash-MD5 - 2030ce7a53ac9846086f60c691b3f9db -
• FileHash-SHA256 - de52bc0403a276dfab3e169826d6bb5633a112500aaa0ca4e30ac27cb0ae50f7 -
• FileHash-MD5 - 79152e4f530eb222f6e1a5537f7481ec -
• FileHash-MD5 - 42723a4a4018a66de5f11d75ee8edaa3 -
• URL - http://cgi.vietnamplos.com/4B146640334E45A293E52FB2 -
• hostname - hanoi.dulichovietnam.net -
• FileHash-MD5 - be33cd00fd373f51f0f6b07ac9fb95a9 -
• FileHash-SHA256 - ad5ada2066157b2fc3c70d212f68017404e4a0a4bc8700afb219677061ddd522 -
• URL - https://hanoi.dalat.dulichovietnam.net/ -
• hostname - zdmkk.f3322.net -
• FileHash-MD5 - acd8b226f9498c22daa135eac51e4edc -
• hostname - hanoi.dalat.dulichovietnam.net -

類似Pulses

• Campaign on the Government of Thailand Delivers Bookworm Trojan (score: 0.69)
• Chinese Actors attacks on US Government and EU Media (score: 0.67)
• Defending the White Elephant (score: 0.65)
• China-based Cyber Threat Group Targets Hong Kong Media Outlets (score: 0.65)
• Wonknu: A Spy For The 3rd ASEAN-US Summit (score: 0.64)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る