Unit 61398 – Part 3

If you are able to use yara rules. You can get an APT1 specific set here. The posting has instructions on how you can leverage them.

Now back to the video.

They do point it out during the video but if you look around 1:20. You can see the alert at the top from gmail that someone has logged in to the account from a China IP. This part does not feel right to me. I wonder if it is being careless, not caring, or something else is going on.
With everything that this account is used for why would you log in to it with your own IP address? I just don’t know why in the world you would setup an account like this then log in to it from home? I almost think it was an accident by the attacker.