ATK15

Presumed Origin: China < Back

Alias: APT 27, APT27, Bronze Union, Emissary Panda, Group 35, HIPPOTeam, Iron Tiger, Iron Tiger APT, Lucky Mouse, LuckyMouse, Operation Iron Tiger, TEMP.Hippo, TG-3390, Threat Group-3390, Threat Group 3390, ZipToken

ATK15 (aka: Emissary Panda) is a cyber espionage group active since at least 2009 (first spearphishing spotted by TrendMicro on November 25, 2009) likely base in the People's Republic of China. The group has a preference for leveraging strategic web compromise (SWC) and scan-and-exploit techniques to compromise target systems.

The cyber-spies also used proprietary remote access tools in attacks observed since 2016, including SysUpdate and HyperBro. A multi-stage malware, SysUpdate is used exclusively by the group, being delivered via multiple methods, including malicious Word documents leveraging Dynamic Data Exchange (DDE), manual deployment via stolen credentials, or via a redirect from a strategic web compromise (SWC). 

Access to government resources are abused to conduct their campaign attacks. The tools HyperBro and shikata_ga_nai compressor has been used in their recent campaigns. This group is known for their strategic web compromises, relies on whitelist to deliver payloads. The group also has tendency to compromise Microsoft exchange servers.

Malware & Tools

Tools used by multiple threat groups:

  • PlugX
  • HttpBrowser
  • ChinaChopper web shell
  • Hunter
  • Wrapikatz

Tools that appear to be exclusive to ATK15:

  • OwaAuth web shell
  • ASPXTool
  • Rcmd

Publicly available tools:

  • Windows Credential Editor (WCE) — obtains passwords from memory
  • gsecdump — obtains passwords from memory
  • winrar — compresses data for exfiltration
  • nbtscan — scans NetBIOS name servers
  • Netview — host-enumeration tool that presents details about IP addresses, network shares, remote sessions, and logged-on users
  • Kekeo — toolset to manipulate the Kerberos authentication protocol
  • Metasploit
  • BeEF

REFERENCES

Target sector

  • Aerospace
  • Communication
  • Defense
  • Education
  • Government and administration agencies
  • High-Tech
  • Manufacturing
  • Naval
  • Political Organizations

Target countries

  • China
  • Hong Kong
  • Philippines
  • Spain
  • Turkey
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America

Attack pattern

  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1005 - Data from Local System
  • T1012 - Query Registry
  • T1016 - System Network Configuration Discovery
  • T1018 - Remote System Discovery
  • T1022 - Data Encrypted
  • T1027 - Obfuscated Files or Information
  • T1028 - Windows Remote Management
  • T1030 - Data Transfer Size Limits
  • T1038 - DLL Search Order Hijacking
  • T1043 - Commonly Used Port
  • T1046 - Network Service Scanning
  • T1047 - Windows Management Instrumentation
  • T1049 - System Network Connections Discovery
  • T1050 - New Service
  • T1053 - Scheduled Task
  • T1055 - Process Injection
  • T1056 - Input Capture
  • T1059 - Command-Line Interface
  • T1060 - Registry Run Keys / Startup Folder
  • T1068 - Exploitation for Privilege Escalation
  • T1071 - Standard Application Layer Protocol
  • T1073 - DLL Side-Loading
  • T1074 - Data Staged
  • T1078 - Valid Accounts
  • T1086 - PowerShell
  • T1087 - Account Discovery
  • T1088 - Bypass User Account Control
  • T1089 - Disabling Security Tools
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1108 - Redundant Access
  • T1112 - Modify Registry
  • T1119 - Automated Collection
  • T1126 - Network Share Connection Removal
  • T1133 - External Remote Services
  • T1140 - Deobfuscate/Decode Files or Information
  • T1189 - Drive-by Compromise

Motivation

  • Espionage

Malwares

  • ASPXSpy
  • Antak
  • HTTPBrowser
  • OwaAuth
  • ZXShell

Vulnerabilities

  • CVE-2017-11882