🇨🇳

IXESHE

APT Group Information theft and espionage 5 zero-day CVEs ETDA ✓

Also Known As 11 names

APT12 BRONZE GLOBE BeeBus Calc Team Crimson Iron DNSCalc DynCalc Group 22 Hexagon Typhoon NUMBERED PANDA TG-2754

Target Countries 4

Countries highlighted in red

Germany Japan Province of China Taiwan United States

Sectors Targeted

Public Administration 92 Telecommunications Publishing Industries (except Internet) 511 Electrical Equipment, Appliance, and Component Manufacturing 335 High-Tech Government Other Information Services 519 Media Computer and Electronic Product Manufacturing 334 Electronics and journalists Information 51 Space Research and Technology 927 Private sector Defense Telecommunications 517 National Security and International Affairs 928 NAICS:31 31

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

Malware Families 8

rapid_stealer

dreambot

snifula

ldr4

etumbot

saigon

vawtrak

gozi

MITRE ATT&CK 65

T1003 T1005 T1016 T1021 T1027 - Obfuscated Files or Information T1033 T1036 T1041 T1049 T1053 T1055 T1057 T1059 T1070 T1071 T1071.001 T1078 T1082 T1087 T1090 T1095 T1102 T1102.002 T1105 T1106 T1110 T1114 T1115 T1123 T1124 T1127 T1132 T1133 T1136 T1140 - Deobfuscate/Decode Files or Information T1176 T1190 T1193 T1203 T1204 - User Execution T1204.002 T1218 - Signed Binary Proxy Execution T1485 T1486 T1490 - Inhibit System Recovery T1498 - Network Denial of Service T1529 T1530 T1531 T1543 T1547 T1550 T1553 - Subvert Trust Controls T1560 T1561 T1562 T1566 - Phishing T1566.001 T1568 T1568.003 T1571 T1573 T1583 T1587 T1595

Related Zero-Days 5

CVE-2018-8174 CVE-2020-1472 CVE-2022-42475 CVE-2023-36884 CVE-2023-38831

Known Names 12 entries

APT 12 Mandiant

Numbered Panda CrowdStrike

CTG-8223 SecureWorks

Bronze Globe SecureWorks

BeeBus FireEye

Calc Team Symantec

DynCALC Symantec

DNSCalc Symantec

Group 22 Talos

Crimson Iron ThreatConnect

Hexagon Typhoon Microsoft

G0005 MITRE

Observed Target Countries 5

Based on ETDA data — countries highlighted in red

Germany Japan Taiwan USA East Asia

Description

(CrowdStrike) Numbered Panda has a long list of high-profile victims and is known by a number of names including: DYNCALC, IXESHE, JOY RAT, APT-12, etc. Numbered Panda has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments. Numbered Panda has targeted organizations in time-sensitive operations such as the Fukushima Reactor Incident of 2011, likely filling intelligence gaps in the ground cleanup/mitigation operations. Screen saver files, which are binary executables and PDF documents, are common Numbered Panda weaponization tactics. One of the most interesting techniques that Numbered Panda likes to use is to dynamically calculate the Command and Control (C2) port by resolving a DNS. This effectively helps Numbered Panda bypass egress filtering implemented to prevent unauthorized communications on some enterprises. The malware will typically use two DNS names for communication: one is used for command and control; the other is used with an algorithm to calculate the port to communicate to.

Tools Used 7

AUMLIB ETUMBOT IHEATE IXESHE RapidStealer THREEBYTE WaterSpout

Operations 10

2009-07 “IXESHE” campaign Target: East Asian governments, Taiwanese electronics manufacturers and a telecommunications company. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf

2011-05 “AUMLIB” campaign https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html

2011 “ETUMBOT” campaign Target: Taiwan Once the malicious file was downloaded and extracted by the victim, Etumbot uses a right-to-left override exploit to trick the victim to download the malware installer. According to Arbor Security, the “technique is a simple way for malware writers to disguise names of malicious files. A hidden Unicode character in the filename will reverse the order of the characters that follow it, so that a .scr binary file appears to be a .xls document, for example.” https://www.arbornetworks.com/blog/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf

2012-10 Breach of The New York Times “For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees.” The attack occurred after the New York Times published a story about how the relatives of Wen Jiabao, the sixth Premier of the State Council of the People’s Republic of China, “accumulated a fortune worth several billion dollars through business dealings.” The computers used to launch the attack are believed to be the same university computers used by the Chinese military to attack United States military contractors. https://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all

2012-10 “RIPTIDE” campaign Spear-phishing on Taiwanese Government

2014-08 “HIGHTIDE” campaign Spear-phishing on Taiwanese Government Uses an updated version of ETUMBOT.

2014-08 “THREEBYTE” campaign Spear-phishing on Taiwanese Government

2014-08 “WATERSPOUT” campaign Spear-phishing on Taiwanese Government

2016-01 IXESHE Derivative IHEATE Targets Users in America https://blog.trendmicro.com/trendlabs-security-intelligence/ixeshe-derivative-iheate-targets-users-america/

2016-11 “CNACOM” campaign On November 7, we spotted a malicious injection on the registration page of a major Taiwanese public service website. An iframe was injected into the footer of the page, which then loaded a unique landing page containing the CVE-2016-0189 exploit code. https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise

Reports & References 3

https://www.crowdstrike.com/blog/whois-numbered-panda/ https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html https://en.wikipedia.org/wiki/Numbered_Panda

ETDA Profile

APT 12, Numbered Panda

Origin

China

First Seen 2009

Sponsor State-sponsored

Motivation

Information theft and espionage

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0005/

View on ETDA APT Groups ↗