APT12
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| IXESHE | (Citation: Meyers Numbered Panda) (Citation: Moran 2014) |
| DynCalc | (Citation: Meyers Numbered Panda) (Citation: Moran 2014) |
| Numbered Panda | (Citation: Meyers Numbered Panda) |
| DNSCALC | (Citation: Moran 2014) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1568 | .003 | Dynamic Resolution: DNS Calculation |
APT12 has used multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.(Citation: Meyers Numbered Panda) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.(Citation: Moran 2014)(Citation: Trend Micro IXESHE 2012) |
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
APT12 has used blogs and WordPress for C2 infrastructure.(Citation: Meyers Numbered Panda) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0015 | Ixeshe | (Citation: Moran 2013) (Citation: Moran 2014) | Process Discovery, Web Protocols, File Deletion, Registry Run Keys / Startup Folder, System Information Discovery, Commonly Used Port, System Network Configuration Discovery, Ingress Tool Transfer, Hidden Files and Directories, Standard Encoding, File and Directory Discovery, System Service Discovery, Data from Local System, System Owner/User Discovery, Match Legitimate Name or Location, Windows Command Shell |
| S0003 | RIPTIDE | (Citation: Moran 2014) | Web Protocols, Symmetric Cryptography, Commonly Used Port |
| S0040 | HTRAN | (Citation: HUC Packet Transmit Tool) (Citation: NCSC Joint Report Public Tools) (Citation: Operation Quantum Entanglement) (Citation: Trend Micro IXESHE 2012) | Proxy, Rootkit, Process Injection |
References
- Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.
- Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
- Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
- Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.