Espionage Malware:

In 2006 and 2007, registered a number of domains under the "Tawnya Grilth" alias that have appeared repeatedly on reports published by various automated malware analysis systems and antivirus websites. The Dell SecureWorks CTUSM research team examined malware samples using these domains and concluded that these domains were involved in a larger pattern of malware-based espionage, sometimes referred to as Advanced Persistent Threat (APT) activity.

There are two primary malware families involved with the Sin Digoo domains. One is known as "Enfal", which is short for "EtenFalcon", a string found inside early samples. The involvement of actors using this malware for espionage was first detailed in 2010 in a joint report by the Information Warfare Monitor and the Shadowserver Foundation. The report, titled "Shadows in the Cloud: Investigating Cyber Espionage 2.0," was a continuation of research from an earlier report titled "Tracking GhostNet: Investigating a Cyber Espionage Network." A later report by antivirus firm Trend Micro titled "The LURID Downloader" further details a campaign of espionage by this malware against targets worldwide.

A second family of malware connecting to the "Tawnya Grilth" domains is less well-known, although a couple of antivirus companies have used the names "RegSubsDat", "RegSubDat" or "Kirpich" to refer to it. A recent variant was described by the information security firm CyberESI in a 2011 blog post titled "India-United States Naval Cooperation.doc Analysis." Details regarding the earlier variant used in the Sin Digoo activity was first analyzed in a blog posting by Don C. Weber titled "Malware Characteristics Report - Trojan.RegSubsDat.A" on his Security Ripcord blog.

In addition to the GhostNet link, connections can also be drawn between the malware used in the Sin Digoo activity and the RSA breach revealed in early 2011. According to the US-CERT EWIN-11-077 bulletin, a number of command-and-control (C2) hostnames used by RegSubsDat shared three different IP addresses at different points in time, with one of the hostnames known to be part of the RSA breach. This C2 hostname was used in a piece of malware known as "Murcy", which was detailed in "Command and Control in the Fifth Domain," a 2012 report by Command Five Pty Ltd.

All three IP addresses belong to the China Beijing Province Network (AS4808). Although the RegSubsDat and Murcy C2s shared these IPs a few months apart, the fact that three IP different addresses at the same ISP overlapped in a short time frame seems to indicate shared infrastructure used by both the RSA breach actors and other actors using the RegSubsDat malware. AS4808 is known for many other connections to malware and is considered by some to be a hotbed of espionage C2s, especially the, and subnets. These subnets have been seen in DNS records for hundreds of C2 hostnames for dozens of custom malware families, either known for or suspected in espionage activity (source Dell Research).

The RegSubsDat domain was registered by an unknown actor using the email address A 2011 blog posting by "Cyb3rsleuth" traced this email address to a social media profile created by a person living in Beijing named "Wang Liang Chen." The same email address was used to register many other RegSubsDat domains as well. The social media profile for has since been deleted.

To capture this threat on your network and discover remediation methods please contact the Network Threat Mitigation Center

All Cyber Threats:

View SafeMedia's profile Like SafeMedia on Facebook

Copyrighted ©2009 - 2013 SafeMedia Corp. All Rights Reserved.
Phone: (561) 228-4442 Fax: (800) 527-9169
Privacy Policy     Terms Of Use