The Anomali Threat Research Team discovered a phishing site impersonating a login page for the Ministry of Foreign Affairs of the People's Republic of China email service. When visitors attempt to login to the fraudulent page, they are presented with a pop-up verification message asking users to close their windows and continue browsing. Further analysis of the threat actor’s infrastructure uncovered a broader phishing campaign targeting other government sites and state-owned enterprises in China. One of the domains uncovered during the investigation was identified by the Chinese security vendor “CERT 360” as being part of the “BITTER APT” campaign in May 2019. Anomali has identified further attempts by the actor to target the government. Based on the Let’s Encrypt certificate issuance date, we believe this campaign to be active from May 2019. We expect to see BITTER APT continuing to target the government of China by employing spoofed login pages designed to steal user credentials and obtain access to privileged account information.
Initial Discovery
Anomali researchers identified a website designed to look like the Ministry of Foreign Affairs email login page. Further investigation revealed approximately 40 additional sites, all of which appear to be targeting the government of China and other organisations in China. All of the sites use Domain Validation (DV) certificates issued by “Let’s Encrypt”. The subdomains appear to have similar naming conventions, primarily targeting online mail logins and containing a verification or account validation theme.
Phishing Site Details
The screenshot below is the initial site that was discovered and investigated. The sites hosted on the domain “btappclientsvc[.]net” was registered on May 30, 2019.
Figure 1 - Phishing site targeting Ministry of Foreign Affairs
The phishing site has been designed specifically to pose as the login page for the ..
Support the originator by clicking the read the rest link below.
