APT18

Who is APT18?

APT18 is a sophisticated threat group that has been attributed to China and active since 2009. This group is quick to make use of newly discovered vulnerabilities and exploits in order to compromise victims. FireEye compares APT18 to the activity of APT3. [2] While they share usage of exploits for vulnerabilities like CVE-2015-5119, APT18 has their own methods of generating phishing emails, creating exploits, and uses different C2 infrastructure. FireEye states that the phishing emails APT18 sends are generic in nature. The C2 infrastructure the attackers use typically includes "procured infrastructure" as opposed to using systems they previously compromised themselves.

Aliases

  • TG-0416
  • Dynamite Panda
  • Wekby

Associated Individuals

APT18 is attributed to Chinese attackers

Notable Attacks

Specific victims have not been revealed, but a large range of industries are listed by multiple researchers as victims.

Tactics

Malware Used

  • HTTPBrowser
  • hcdLoader
  • PisLoader
  • gh0st RAT

APT18 uses phishing emails to deliver malware and compromise victims. Once they are able to gain access, this group uses advanced techniques for C2 communication such as DNS TXT record requests containing the base32-encoded payload to be transferred. For example, the encoded data is added as a subdomain to the FQDN requested in the TXT record. [6] (See image below for an example). These attackers use common malware families such as HTTPBrowser, gh0st RAT, and hcdLoader as well as Windows tools like at.exe and PsExec for persistence, information retrieval, and lateral movement. APT18 uses new vulnerabilities quickly after initial disclosure. The combination of these tactics demonstrate the group's expertise and advanced technical capabilities.

Targets

  • Aerospace and Defense
  • Construction and Engineering
  • Energy
  • High Tech
  • Non-Profit
  • Telecommunications
  • Human Rights Groups
  • Medical Technology
  • Pharmaceutics

References

[1] - https://attack.mitre.org/groups/G0026/

[2] - https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html

[3] - https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems

[4] - https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

[5] - https://threatconnect.com/threatconnect-discovers-chinese-apt-activity-in-europe/

[6] - https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

Subscribe to Gambitsec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe