vxcute/APT-16

## APT-16
Introduction:
==========

Apt-16 also known as SVCMONDR is China based apt-group that established attacks between November 26, 2015, and December 1, 2015. Their Goals Was mainly Cyber-Espionage and Data Theft.

Targets:
=======

There attacks focused on two countries Taiwan and Japan. They Targeted 4 Industries Government, Media, Finance and High-Tech.

Campaigns:
==========

. The Attacks were between November 26, 2015, and December 1, 2015.

. They Targeted Taiwan and Japan their intensions was Espionage and Data Theft they mainly focused on Taiwan's Politics and Journalism's.

. On November 26, 2015, a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies (cited from FireEye)

Methods and Tools:
================

Methods:
----------------

. APT-16 Made Use of Spear-Phishing and Microsoft Office Word Documents that contains malicious macro as an initial access technique to get into the victim organization

Weaponized Vulnerabilities:
---------------------------------------------

. EPS dict copy use-after-free vulnerability
. CVE-2015-1701 (LPE)

Tools:
----------

. IRONHALO (Downloader) leverages HTTP for C2 Communications the C2 Commands are Base64 Encoded it had the capa

. ELMER (Backdoor): is an HTTP Backdoor that has capabilities like Retrieving C2 Commands and Profiling the System

IOC'S
=====

Hashes (MD5)
-----------------------
6c33223db475f072119fe51a2437a542 (ELMER)

0b176111ef7ec98e651ffbabf9b35a18 (ELMER)

a8ccb2fc5fec1b89f778d93096ff8dd65 (IRONHALO)


C2
-----

121.127.249.74
news.rinpocheinfo.com
rinpocheinfo.com


TTP's
---------

. Compromise Infrastructure: Server (T1584)

. Phishing (T1566)

. Phishing: Spearphishing Link (T1566.002)

. Phishing: Spearphishing Attachment (T1566.001)

References:
==========

https://malpedia.caad.fkie.fraunhofer.de/actor/apt_16

https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=APT%2016%2C%20SVCMONDR&n=1
	Introduction:
	==========

	Apt-16 also known as SVCMONDR is China based apt-group that established attacks between November 26, 2015, and December 1, 2015. Their Goals Was mainly Cyber-Espionage and Data Theft.

	Targets:
	=======

	There attacks focused on two countries Taiwan and Japan. They Targeted 4 Industries Government, Media, Finance and High-Tech.

	Campaigns:
	==========

	. The Attacks were between November 26, 2015, and December 1, 2015.

	. They Targeted Taiwan and Japan their intensions was Espionage and Data Theft they mainly focused on Taiwan's Politics and Journalism's.

	. On November 26, 2015, a suspected China-based APT group sent Japanese defense policy-themed spear phishing emails to multiple Japanese financial and high-tech companies (cited from FireEye)

	Methods and Tools:
	================

	Methods:
	----------------

	. APT-16 Made Use of Spear-Phishing and Microsoft Office Word Documents that contains malicious macro as an initial access technique to get into the victim organization

	Weaponized Vulnerabilities:
	---------------------------------------------

	. EPS dict copy use-after-free vulnerability
	. CVE-2015-1701 (LPE)

	Tools:
	----------

	. IRONHALO (Downloader) leverages HTTP for C2 Communications the C2 Commands are Base64 Encoded it had the capa

	. ELMER (Backdoor): is an HTTP Backdoor that has capabilities like Retrieving C2 Commands and Profiling the System

	IOC'S
	=====

	Hashes (MD5)
	-----------------------
	6c33223db475f072119fe51a2437a542 (ELMER)

	0b176111ef7ec98e651ffbabf9b35a18 (ELMER)

	a8ccb2fc5fec1b89f778d93096ff8dd65 (IRONHALO)


	C2
	-----

	121.127.249.74
	news.rinpocheinfo.com
	rinpocheinfo.com


	TTP's
	---------

	. Compromise Infrastructure: Server (T1584)

	. Phishing (T1566)

	. Phishing: Spearphishing Link (T1566.002)

	. Phishing: Spearphishing Attachment (T1566.001)

	References:
	==========

	https://malpedia.caad.fkie.fraunhofer.de/actor/apt_16

	https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

	https://apt.thaicert.or.th/cgi-bin/showcard.cgi?g=APT%2016%2C%20SVCMONDR&n=1