Created
December 20, 2020 04:13
-
-
Save vxcute/bb0626f50240778252055a772696f09e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Introduction: | |
========== | |
Apt-16 also known as SVCMONDR is China based apt-group that established attacks between November 26, 2015, and December 1, 2015. Their Goals Was mainly Cyber-Espionage and Data Theft. | |
Targets: | |
======= | |
There attacks focused on two countries Taiwan and Japan. They Targeted 4 Industries Government, Media, Finance and High-Tech. | |
Campaigns: | |
========== | |
. The Attacks were between November 26, 2015, and December 1, 2015. | |
. They Targeted Taiwan and Japan their intensions was Espionage and Data Theft they mainly focused on Taiwan's Politics and Journalism's. | |
. On November 26, 2015, a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies (cited from FireEye) | |
Methods and Tools: | |
================ | |
Methods: | |
---------------- | |
. APT-16 Made Use of Spear-Phishing and Microsoft Office Word Documents that contains malicious macro as an initial access technique to get into the victim organization | |
Weaponized Vulnerabilities: | |
--------------------------------------------- | |
. EPS dict copy use-after-free vulnerability | |
. CVE-2015-1701 (LPE) | |
Tools: | |
---------- | |
. IRONHALO (Downloader) leverages HTTP for C2 Communications the C2 Commands are Base64 Encoded it had the capa | |
. ELMER (Backdoor): is an HTTP Backdoor that has capabilities like Retrieving C2 Commands and Profiling the System | |
IOC'S | |
===== | |
Hashes (MD5) | |
----------------------- | |
6c33223db475f072119fe51a2437a542 (ELMER) | |
0b176111ef7ec98e651ffbabf9b35a18 (ELMER) | |
a8ccb2fc5fec1b89f778d93096ff8dd65 (IRONHALO) | |
C2 | |
----- | |
121.127.249.74 | |
news.rinpocheinfo.com | |
rinpocheinfo.com | |
TTP's | |
--------- | |
. Compromise Infrastructure: Server (T1584) | |
. Phishing (T1566) | |
. Phishing: Spearphishing Link (T1566.002) | |
. Phishing: Spearphishing Attachment (T1566.001) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment