Sign in Subscribe
By Zach Hilbert

APT5

Who is APT5?

According to FireEye, APT5 has been actively targeting telecommunications and technology companies since 2007. This group appears to be large and sophisticated. APT5 uses malware equipped with keylogging functions to gather information for future compromise as well as regional intelligence. Based on the industry and organizational targets, FireEye believes this group uses the stolen information for competitive advantage and speed internal development of these technologies. [3][4][5]

Aliases

No known or provided aliases.

Associated Individuals

No proven political or individual association.

Notable Attacks

Details regarding specific attacks that APT5 has performed are minimal. FireEye listed an attack in April 2015 "against [a] South Asian defense contractor." [5] Several attacks targeted "organizations and personnel based on Southeast Asia." APT5 compromised an electronics firm and stole communications between the electronics firm and a national military. In 2014, an international telecommunications company was breached. The system of an executive responsible for managing relationships with other telecom companies was compromised within this network. FireEye states that APT5 collected data on pricing, bidding, contracts, and business opportunities as a result of this compromise. [4][5]

Tactics

APT5 has used LEOUNCIA, BIRDWORLD, ENCORE backdoors in their attacks. A FireEye researcher disclosed details of the LEOUNCIA backdoor and its similarites to the VINSELF botnet. APT5 uses phishing to send links which contain the malware to be downloaded. LEOUNCIA attempts to hide communication with its C2 by obfuscating the payloads and enpoint paths. The image below demonstrates these different enpoints discovered during the FireEye research. [1]

LEOUNCIA was seen using info.new-soho.com as a C2 domain which resolved to 64.255.101.100 at the time the research was performed. This research also linked at least one other domain (ftp.winself.com) to the same administrative contact information (jonh.lu@gmail.com). Once a system is infected with the LEOUNCIA malware, the C2 operators extract information about the host and execute commands using the obfuscated C2 communications.

Targets

  • Regional Telecommunication Providers
  • Asia-Based Employees of Global Telecommunications, and Tech Firms
  • High-Tech Manufacturing
  • Military Application Technology

References

[1] - https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html

[2] - https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html

[3] - https://www.fireeye.com/current-threats/apt-groups.html#apt5

[4] - https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf

[5] - https://www.rsaconference.com/writable/presentations/file_upload/tta-r02-nation-state-hacktivist-attacks-targeted-hits-on-asian-organizations_copy1.pdf

Subscribe to Gambitsec

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe