ATK2

Presumed Origin: China < Back

Alias: APT 17, APT17, APT 41, APT41, Aurora Panda, Axiom, BRONZE ATLAS, BRONZE EXPORT, Barium, Blackfly, Deputy Dog, DeputyDog, Dogfish, Group 8, Group 72, Group72, Hidden Lynx, Lead, Ragebeast, Suckfly, Tailgater, Tailgater Team, Wicked Panda, Wicked Spider, WinNTI, Winnti Group, Winnti Umbrella

ATK2 (aka: Aurora Panda) group has been in operation since at least 2009 and is most likely a professional organization that offers a “hackers for hire” service. They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the group would need to be a sizeable organization made up of between 50 and 100 individuals.

 

The members of this group are experts at breaching systems. They engage in a two-pronged strategy of mass exploitation and pay-to-order targeted attacks for intellectual property using two Trojans designed specifically for each purpose:

 

  • Team Moudoor distributes Backdoor.Moudoor, a customized version of “Gh0st RAT”, for large-scale campaigns across several industries. The distribution of Moudoor requires a sizeable number of people to both breach targets and retrieve the information from the compromised networks.
  •  
  • Team Naid distributes Trojan.Naid, the Trojan found during the Bit9 incident, which appears to be reserved for more limited attacks against high value targets. This Trojan was leveraged for a special operation during the VOHO campaign and is probably used by a specific team of highly skilled attackers within the group. This Trojan was also found as part of “Operation Aurora” in 2009.

 

Much of the attack infrastructure and tools used during these campaigns originate from network infrastructure in China. The ATK2 group makes regular use of zero-day exploits and has the ability to rework and customize exploits quickly. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region, such as the Comment Crew (also known as APT1). The ATK2 group is an advanced persistent threat that has been in operation for at least four years and is breaking into some of the best-protected organizations in the world. With a zero-day attack already under their belt in 2013, they continue to operate at the leading edge of targeted attacks.

 

Between January and March 2020, APT41 launch a large scan attempting to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central on a large number of companies in many sectors and countries. During these exploitation attempt, APT41 only used publicly available malware such as Cobalt Strike and Meterpreter. These tools were propably used as reconnaissance step before useing more advanced custom malwares. This campaign shows that the group is ressourceful and can quickly leverage newly disclosed vulnerabilities.

 

 

REFERENCES

Target sector

  • Aerospace
  • Defense
  • Education
  • Financial Services
  • Government and administration agencies
  • Healthcare
  • High-Tech
  • Media
  • Transportation

Target countries

  • Australia
  • Canada
  • China
  • France
  • Germany
  • Russian Federation
  • Japan
  • Korea, Republic of
  • India
  • Hong Kong
  • Singapore
  • Taiwan
  • United Kingdom Of Great Britain And Northern Ireland
  • United States Of America

Attack pattern

  • T1001 - Data Obfuscation
  • T1003 - Credential Dumping
  • T1014 - Rootkit
  • T1015 - Accessibility Features
  • T1043 - Commonly Used Port
  • T1057 - Process Discovery
  • T1060 - Registry Run Keys / Startup Folder
  • T1071 - Standard Application Layer Protocol
  • T1076 - Remote Desktop Protocol
  • T1094 - Custom Command and Control Protocol
  • T1116 - Code Signing
  • T1132 - Data Encoding
  • T1140 - Deobfuscate/Decode Files or Information
  • T1189 - Drive-by Compromise
  • T1190 - Exploit Public-Facing Application
  • T1246 - Identify supply chains
  • T1331 - Obfuscate infrastructure
  • T1334 - Compromise 3rd party infrastructure to support delivery
  • T1341 - Build social network persona
  • T1342 - Develop social network persona digital footprint

Motivation

  • Espionage

Malwares

  • BLACKCOFFEE
  • Briba
  • CrossWalk
  • Darkmoon
  • Derusbi
  • Hydraq
  • Linfo
  • Naid
  • Nerex
  • Pasam
  • PoisonIvy
  • Vasport
  • Wiarp
  • ZXShell
  • gh0st RAT
  • StealthVector
  • ScrambleCross
  • StealthMutant

Vulnerabilities

  • CVE-2010-0249
  • CVE-2011-0609
  • CVE-2011-0611
  • CVE-2011-2110
  • CVE-2012-0779
  • CVE-2012-1535
  • CVE-2012-1875
  • CVE-2012-1889
  • CVE-2012-4792
  • CVE-2013-1347
  • CVE-2013-1493
  • CVE-2013-3893
  • CVE-2014-0322
  • CVE-2018-0802