ATK2

Presumed Origin: China < Back

Alias: APT 17, APT17, APT 41, APT41, Aurora Panda, Axiom, BRONZE ATLAS, BRONZE EXPORT, Barium, Blackfly, Deputy Dog, DeputyDog, Dogfish, Group 8, Group 72, Group72, Hidden Lynx, Lead, Ragebeast, Suckfly, Tailgater, Tailgater Team, Wicked Panda, Wicked Spider, WinNTI, Winnti Group, Winnti Umbrella

ATK2 (aka: Aurora Panda) group has been in operation since at least 2009 and is most likely a professional organization that offers a “hackers for hire” service. They have the capability to attack many organizations with concurrently running campaigns. They operate efficiently and move quickly and methodically. Based on these factors, the group would need to be a sizeable organization made up of between 50 and 100 individuals.

The members of this group are experts at breaching systems. They engage in a two-pronged strategy of mass exploitation and pay-to-order targeted attacks for intellectual property using two Trojans designed specifically for each purpose:

Team Moudoor distributes Backdoor.Moudoor, a customized version of “Gh0st RAT”, for large-scale campaigns across several industries. The distribution of Moudoor requires a sizeable number of people to both breach targets and retrieve the information from the compromised networks.
Team Naid distributes Trojan.Naid, the Trojan found during the Bit9 incident, which appears to be reserved for more limited attacks against high value targets. This Trojan was leveraged for a special operation during the VOHO campaign and is probably used by a specific team of highly skilled attackers within the group. This Trojan was also found as part of “Operation Aurora” in 2009.

Much of the attack infrastructure and tools used during these campaigns originate from network infrastructure in China. The ATK2 group makes regular use of zero-day exploits and has the ability to rework and customize exploits quickly. They are methodical in their approach and they display a skillset far in advance of some other attack groups also operating in that region, such as the Comment Crew (also known as APT1). The ATK2 group is an advanced persistent threat that has been in operation for at least four years and is breaking into some of the best-protected organizations in the world. With a zero-day attack already under their belt in 2013, they continue to operate at the leading edge of targeted attacks.

Between January and March 2020, APT41 launch a large scan attempting to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central on a large number of companies in many sectors and countries. During these exploitation attempt, APT41 only used publicly available malware such as Cobalt Strike and Meterpreter. These tools were propably used as reconnaissance step before useing more advanced custom malwares. This campaign shows that the group is ressourceful and can quickly leverage newly disclosed vulnerabilities.

REFERENCES

- 2010, HB Gary, Operation Aurora, https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2010/WhitePaper%20HBGary%20Threat%20Report%2C%20Operation%20Aurora.pdf
- 20/07/2012, RSA, Lions at the Watering Hole – The “VOHO” Affair, https://web.archive.org/web/20120802105749/https://blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/
- 08/02/2013, Bit9, Bit9 and Our Customers’ Security, https://web.archive.org/web/20130302090357/https://blog.bit9.com/2013/02/08/bit9-and-our-customers-security/ 25/02/2013, Bit9, Bit9 Security Incident Update, https://web.archive.org/web/20130302090353/https://blog.bit9.com/2013/02/25/bit9-security-incident-update/
- 20/05/2013, FireEye, Ready for Summer: The Sunshop Campaign, https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html
- 17/09/2013, Symantec, Hidden Lynx - Professional Hackers for Hire, https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf
- 21/09/2013, FireEye, Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets, https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html
- 10/11/2013, FireEye, Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method, https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html
- 25/02/2014, CrowdStrike, The French Connection: French Aerospace-Focused CVE-2014-0322 Attack Shares Similarities with 2012 Capstone Turbine Activity, https://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/
- 14/10/2014, Talos, Threat Spotlight : Group 72, https://blog.talosintelligence.com/2014/10/threat-spotlight-group-72.html
- 20/12/2014, Novetta, Operation SMN, http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
- 14/05/2015, FireEye, Hiding in Plain Sight: FireEye And Microsoft Expose Obfuscation Tactic, http://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf
- 08/03/2016, Kristen Dennsen, Hide and Seek: How Threat Actors Respond in the Face of Public Exposure, https://www.rsaconference.com/writable/presentations/file_upload/crwd-t11-hide_and_seek-how_threat_actors_respond_in_the_face_of_public_exposure.pdf
- 26/07/2016, PaloAlto, Attack Delivers ‘9002’ Trojan Through Google Drive, https://unit42.paloaltonetworks.com/unit-42-attack-delivers-9002-trojan-through-google-drive/
- 25/08/2017, Proofpoint, Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures, https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures
- http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf

Target sector

Aerospace
Defense
Education
Financial Services
Government and administration agencies
Healthcare
High-Tech
Media
Transportation

Target countries

Australia
Canada
China
France
Germany
Russian Federation
Japan
Korea, Republic of
India
Hong Kong
Singapore
Taiwan
United Kingdom Of Great Britain And Northern Ireland
United States Of America

Attack pattern

T1001 - Data Obfuscation
T1003 - Credential Dumping
T1014 - Rootkit
T1015 - Accessibility Features
T1043 - Commonly Used Port
T1057 - Process Discovery
T1060 - Registry Run Keys / Startup Folder
T1071 - Standard Application Layer Protocol
T1076 - Remote Desktop Protocol
T1094 - Custom Command and Control Protocol
T1116 - Code Signing
T1132 - Data Encoding
T1140 - Deobfuscate/Decode Files or Information
T1189 - Drive-by Compromise
T1190 - Exploit Public-Facing Application
T1246 - Identify supply chains
T1331 - Obfuscate infrastructure
T1334 - Compromise 3rd party infrastructure to support delivery
T1341 - Build social network persona
T1342 - Develop social network persona digital footprint

Motivation

Espionage

Malwares

BLACKCOFFEE
Briba
CrossWalk
Darkmoon
Derusbi
Hydraq
Linfo
Naid
Nerex
Pasam
PoisonIvy
Vasport
Wiarp
ZXShell
gh0st RAT
StealthVector
ScrambleCross
StealthMutant

Vulnerabilities

CVE-2010-0249
CVE-2011-0609
CVE-2011-0611
CVE-2011-2110
CVE-2012-0779
CVE-2012-1535
CVE-2012-1875
CVE-2012-1889
CVE-2012-4792
CVE-2013-1347
CVE-2013-1493
CVE-2013-3893
CVE-2014-0322
CVE-2018-0802