This repository contains the indicators of compromise related to the Operation Wocao report.
Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group.
The full report can be found here:
Filename | Description |
---|---|
ips.txt | The various IPs obversed, either as C2 or as operator IPs. |
hashes.txt | The hashes for various malicious scripts and binaries. |
Filename | Description |
---|---|
yara.yar | Contains Yara signatures to detect various malicious scripts and binaries. |
suricata.rules | Contains Suricata signatures to detect XServer and other malicious traffic. |
IP | Hoster | Active period | Description |
---|---|---|---|
185.244.150.236 | Host Sailor | 2018 | Identified in the memory dump of a compromised machine. Used as a command line argument for a PowerShell backdoor. Also used to access webshells. |
217.182.129.156 | OVH | 2018-2019 | Back-connect used by the agent backdoor. Identified based on compromised machines connecting to this IP with a known suspicious client hello value in the TLS handshake. IP is hardcoded. |
23.254.211.108 | Hostwinds | 2018-2019 | Used to connect to a VPN concentrator with stolen credentials. |
108.61.179.160 | Choopa / Vultr | 2018-2019 | Used to connect to a VPN concentrator with stolen credentials. |
198.46.140.26 | ColoCrossing | 2018-2019 | Used to connect to a VPN concentrator with stolen credentials. |
31.222.185.215 | Rackspace | 2018-2019 | Used to access webshells. |
45.77.229.10 | Choopa / Vultr | 2018-2019 | Used to access webshells. |
46.101.153.58 | Digital Ocean | 2018-2019 | Used to access webshells. |
62.141.37.236 | myLoc | 2018-2019 | Used to access webshells. |
95.179.161.243 | Vultr | 2018-2019 | Used to access webshells. |
138.68.144.161 | Digital Ocean | 2018-2019 | Used to access webshells. |
185.191.228.108 | Cogent Communications | 2018-2019 | Used to access webshells. |
209.97.140.206 | Alameda | 2018-2019 | Used to access webshells. |
46.182.106.190 | Tor exit node | * | Used to access webshells. |
141.255.162.36 | Tor exit node | * | Used to access webshells. |
185.220.101.0 | Tor exit node | * | Used to access webshells. |