By Zach Hilbert — Jun 26, 2024

APT12

Who is APT12?

APT12 is an attack group that focuses on specific targets to conduct espionage. These attackers are believed to be responsible for complex campaigns which require planning and preparation to execute successfully. Techniques include obfuscating traffic origin by routing traffic through compromised networks unrelated to the attackers' own. APT12 stays abreast of research released that compromises previous malware or techniques. They will make changes to malware families in order to improve and hide their future attacks without the overhead of starting from scratch every campaign.

The planning required and tactics involved in compromises executed by APT12 is similar to other groups currently associated with Chinese threats. APT12, APT17, and APT5 have used tactics which focus on disguising malware as benign files and hiding traffic among other seemingly uninteresting items. This is not completely unique to these groups, but Chinese actors appear to value discretion and long-term campaigns with more strategic goals in mind and less impatience to achieve an immediate goal.

Aliases

IXESHE
DynCalc
DNSCALC
JOY RAT
Numbered Panda

Associated Individuals

APT12 is believed to be associated with the Chinese government.

Notable Attacks

New York Times - 2012
Taiwanese government organizations - August 22-28, 2014

Tactics

APT12 has been associated with the following malware families, either in use of or development of:

IXESHE
Aumlib
HIGHTIDE
THREEBYTE
WATERSPOUT
RIPTIDE

In disclosed campaigns APT12 used known malware, although these samples were often only known to be attributed to previous attacks by APT12 or entities related to APT12.

FireEye stated the attacks against the NYT attempted to hide their true source IPs by routing the traffic through compromised US universities. This tactic is common to the advanced Chinese based APT groups and attacks in general from China. FireEye believes APT12 obtained access to the NYT networks through phishing attacks using both the Aumlib and IXESHE malware families as payloads. [2] IXESHE has been used in previous campaigns targeting East Asian governments, Taiwanese electronics manufacturers, and a telecommunications company, all of which have been attributed to the APT12 group. [6]

The previous versions of Aumlib had not changed since at least May 2011, and IXESHE had not evolved since at least December 2011. Researchers discovered an updated version of Aumlib used in an attack targeting "an organization involved in shaping economic policy." The sample was downloaded from status.acmetoy.com/DD/myScript.js or status.acmetoy.com/DD/css.css (832f5e01be536da71d5b3f7e41938cfb). An older sample (cb3dcde34fd9ff0e19381d99b02f9692) "connected to documents.myPicture.info and www.documents.myPicture.info and as expected generated a POST request to /bbs/info.asp," which was the same endpoint as the updated version of Aumlib. [2]

POST /bbs/info.asp HTTP/1.1

Data sent via this POST request transmitted in clear text in the following structure:

<VICTIM BIOS NAME>|<CAMPAIGN ID>|<VICTIM EXTERNAL IP>|<VICTIM OS>|

IXESHE has been used in targeted attacks since 2009, often against entities in East Asia [3]. Although the network traffic is encoded with a custom Base64 alphabet, the URI pattern has been largely consistent:

/[ACD] [EW]S[Numbers].jsp?[Base64]

In a campaign that targeted entities in Taiwan, IXESHE contained the same method for obfuscating data and identifying targets and campaigns. "The Base64-encoded data still contains information including the victim's hostname and IP address but also a "mark" or "campaign tag/code" that the threat actors use to keep track of their various attacks. The mark for this particular attack was [ll65]." [2]