By Zach Hilbert — Jun 26, 2024

APT17

Who is APT17?

APT17 is a state-sponsored group frequently tied to China. Many of their operations targeted organizations to steal proprietary information and military secrets. The use of zero-day exploits indicates either the ability to perform advanced vulnerability research or purchase these valuable and expensive exploits. This group performed multiple attacks with techniques ahead of the threat actors at the time.

Aliases

Axiom Group, Winnti, DeputyDog, Group 72

Associated Individuals

No known individuals have been tied to this group.

Notable Attacks

Bit9 - July 2012

The attack on Bit9 was one of the earliest campaigns linked to APT17. In July 2012, attackers gained access to an internet-facing web server by exploiting a SQL injection vulnerability. Once the group was able to obtain access, they used a version of the HiKit malware with a file name of netddeserv.exe. This backdoor communicated with 218.210.49.203. Another backdoor was discovered which communicated with downloadmp3server.servemp3.com, which resolved to 66.153.86.14.

These samples downloaded versions of HiKit and HomeUNIX malware. Attackers then used a Bit9 certificate found on the compromised system to sign the malicious binaries. 32 files in total were signed with this certificate. The signed binaries were later used in separate attacks against different organizations.

Bit9 provided extensive detail about this attack which can be found at https://web.archive.org/web/20130302090353/https://blog.bit9.com/2013/02/25/bit9-security-incident-update/ and in the attached PDF of the same page.

British software maker Piriform (CCleaner)

The supply-chain attack against Pirifom may be linked to APT17 but available evidence makes it difficult to verify.

Operation DeputyDog

Operation DeputyDog began as early as August 19, 2013 and targeted Japanese organizations. FireEye stated the attack against Bit9 shared similarities in infrastructure and concluded that the same group was responsible for both campaigns. Attackers used a zero-day vulnerability in the exploit, which was disguised as an image file (CVE-2013-3893). The file was hosted in Hong Kong at IP address 210.176.3.130. The executable containing the exploit was named "img20130823.jpg" and XOR encoded with 0x95. When the payload executed, it created a DLL file and established persistence using the CurrentVersion\Run registry key.

The malware connected to IP address 180.150.228.102, which was located in South Korea. Communication was sent in clear text as HTTP over port 443. Another similar sample was hosted at 111.118.21.105/css/sun.css and discovered on September 5, 2013. This sample also communicated to 180.150.228.102.

The table below describes the related samples, compile time, and C2 server to demonstrate the similarities.

MD5	Compile Time (UTC)	C2 Server
58dc05118ef8b11dcb5f5c596ab772fd	2013-08-19 13:21:58	180.150.228.102
4d257e569539973ab0bbafee8fb87582	2013-08-19 13:21:58	103.17.117.90
dbdb1032d7bb4757d6011fb1d077856c	2013-08-19 13:21:59	110.45.158.5
645e29b7c6319295ae8b13ce8575dc1d	2013-08-19 13:21:59	103.17.117.90
e9c73997694a897d3c6aadb26ed34797	2013-04-13 13:42:45	110.45.158.5

Table 1

Similarly, this table displays the common C2 domains used.

Domain	First Seen	Last Seen
ea.blankchair.com	2013-09-01 05:02:22	2013-09-01 08:25:22
rt.blankchair.com	2013-09-01 05:02:21	2013-09-01 08:25:24
ali.blankchair.com	2013-09-01 05:02:20	2013-09-01 08:25:22
dll.freshdns.org	2013-07-01 10:48:56	2013-07-09 05:00:03

Table 2

The links between Operation DeputyDog and the attack against Bit9 are describe by FireEye as follows:

One of the HiKit samples connected to downloadmp3server.servemp3.com that resolved to 66.153.86.14.

www.yahooeast.net also resolved to 66.153.86.14 between March 6, 2012 and April 22, 2012.

The email 654@123.com registered www.yahooeast.net and blankchair.com.

blankchair.com resolved to 180.150.228.102, which was the IP address listed in Table 1 and also utilized the CVE-2013-3893 vulnerability.

Operation Ephemeral Hydra

In Operation Ephemeral Hydra, attackers used CVE-2013-3918 and CVE-2014-0266 to gain initial access. APT17 loaded these exploits onto a website likely to draw visitors interested in "national and international security policy." [1] Once exploited, the client machines ran the payload, Trojan.APT.9002 (Hydraq/McRAT variant). This malware runs in memory instead being written to disk. According to FireEye, the attackers made this choice deliberately because of "confidence in both their resources and skills" or that victims would visit the website again and be re-infected. Shadowserver provides an alternative motive for the advanced technique is the attackers wanted to leave as little evidence as possible. This could be the case if the attack failed, as less artifacts would remain for analysis. Computers do not reboot or shutdown regularly except for patch deployment, especially in office environments. These systems are often left running and users simply log out when leaving.

FireEye remarked that the exploit did not write the payload to disk which distinguished itself from other actors using the same malware. The technique of executing payloads in memory instead of saving to disk was not common in 2013 during these attacks. In our opinion, the early use of this technique represents a group more advanced than typical attackers of that time. This specific malware variant (9002) contained an HTTP POST and "non-HTTP" protocol which communicated to 111.68.9.93:443. FireEye identified an earlier sample (104130d666ab3f640255140007f0b12d) connecting to the same 111.68.9.93 IP address.

Trojan.APT.9002 was also tied to attacks against Bit9.

Operation SnowMan

"On February 11, FireEye identified a zero-day exploit (CVE-2014-0322) being served from the U.S. Veterans of Foreign Warsâ website (vfw.org)." CVE-2014-0322 exploits a vulnerability in IE 10 with Adobe Flash to gain arbitrary code execution. Once the exploit completes successfully, the attack payload includes a JPEG image with the shellcode appended to the end of the file. The shellcode creates 2 files, "sqlrenew.txt" and "stream.exe". These files contained the payload, which was encoded with an XOR key of 0x95, the same key used in Operation DeputyDog. The payload executes "sqlrenew.txt" through LoadLibraryA.

The executed malware was a ZxShell backdoor and compiled on 2014-02-11. The backdoor connected to newss.effers.com. Both newss.effers.com and info.flnet.org resolved to 118.99.60.142 as of 2014-02-12. The info.flnet.org domain overlaps with icybin.flnet.org and book.flnet.org via the previous resolutions to the following IP addresses:

58.64.200.178
58.64.200.179
103.20.192.4

First Seen	Last Seen	CnC	DomainIP
2013-08-31	2013-08-31	icybin.flnet.org	58.64.200.178
2013-05-02	2013-08-02	info.flnet.org	58.64.200.178
2013-08-02	2013-08-02	book.flnet.org	58.64.200.178
2013-08-10	2013-08-10	info.flnet.org	58.64.200.179
2013-07-15	2013-07-15	icybin.flnet.org	58.64.200.179
2014-01-02	2014-01-02	book.flnet.org	103.20.192.4
2013-12-03	2014-01-02	info.flnet.org	103.20.192.4

Table 1

FireEye discovered previous Gh0stRat samples with the custom packet flag "HTTPS" connecting to book.flnet.org and icybin.flnet.org. Operation DeputyDog also involved the "HTTPS" version of Gh0st. Multiple domains linked to the 58.64.199.0/24 as the table displays below.

First Seen	Last Seen	CnC Domain	IP
2012-11-12	2012-11-28	me.scieron.com	58.64.199.22
2012-04-09	2012-10-24	cht.blankchair.com	58.64.199.22
2012-04-09	2012-09-18	ali.blankchair.com	58.64.199.22
2012-11-08	2012-11-25	dll.freshdns.org	58.64.199.25
2012-11-23	2012-11-27	rt.blankchair.com	58.64.199.25
2012-05-29	2012-6-28	book.flnet.org	58.64.199.27

Table 2

Operation DeputyDog and Operation Ephermeral Hydra also used a few of the same domains, dll.freshdns.org, ali.blankchair.com and cht.blankchair.com.

Additional similarities in exploitation, malware distribution, payloads, and C2 infrastructure link Operation Ephermeral Hydra to the 2 campaigns listed above.