Created
December 21, 2020 14:28
-
-
Save vxcute/24e9f2a1a6e4a01fdedb3390068e3668 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduction: | |
========== | |
. APT-18 also known as Dynamite Panda is China based apt group they mainly targeted United States their Goals were Cyber-Espionage and Data Theft. | |
Targets: | |
======= | |
. APT-18 Mainly Targeted United States they Targeted Multiple Industries including: Aerospace and Defense, Construction and Engineering, Education, Health and Biotechnology, High Tech, Telecommunications, Transportation. | |
Campaigns: | |
========== | |
. The Attack Time Scale was From 2009 till May 2016. | |
. In April 2018 They Breached Community Health Systems which is based in Franklin, Tennessee United States. They Stole Patient and Healt Care Information. Experts Says That This was campaign was for the support of Economic Plan of China so they can Develop their Health Care Systems ! | |
Methods and Tools: | |
================ | |
. APT-18 Weaponized Mutilple Zero Day Vulnerabilites. Example was (CVE-2015-5119) which was an Adobe Flash Vulnerability. The Vulnerability was leaked by Hacking Team. | |
. They Used Gh0st Rat as their Malware the Malware has the ability to profile the system, steal use info, process manipulation, capture screen and audio and perform C2 Communications. | |
. They Used Phishing Emails in order to install their Malware and Get Into the Victim Organization. The Email is a Spoofed Email Pretending to be Adobe Telling It's users to update once the user clicks on the link it will install a malicious Adobe flash which then takea advantage of (CVE-2015-5119) which lead to installation of Gh0stRat. | |
. Other Tools: | |
---------------------- | |
. hcdLoader | |
. HTTPBrowser | |
. Pisloader | |
. Roseam | |
. StickyFingers | |
IOC's | |
===== | |
Hashes: | |
-------------- | |
079a440bee0f86d8a59ebc5c4b523a07 | |
d0f79de7bd194c1843e7411c473e4288 | |
e5414c5215c9305feeebbe0dbee43567 | |
985eba97e12c3e5bce9221631fb66d68 | |
e4968c8060ea017b5e5756c16b80b012 | |
e8d58aa76dd97536ac225949a2767e05 | |
C2: | |
----- | |
223.25.233.248 | |
References: | |
========== | |
.https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html | |
https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828/ | |
https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop | |
https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/ | |
https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=APT%2018%2C%20Dynamite%20Panda%2C%20Wekby&n=1 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment