Chinese Hackers APT9 ( associated names NUMBERED PANDA/ IXESHE/ DYNCALC/ JOY RAT/ ETUMBOT)

Type: Nation-State-Sponsored

APT9 Status: Believed Inactive

APT9 Other Names: Numbered Panda/ IXESHE/ DYNCALC/ JOY RAT/ Etumbot/ Beebus/ Group 22/ TG-2754/ Calc Team/ DynCalc/ Crimson Iron/ DNSCalc

Active Since/Discovered: 10/2012–5/2014

Target Sectors: media outlets, high-tech companies, and government organizations

Malware:

  • Etumbot
  • Riptide
  • RIPTIDE is a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control (C2) server
  • Hightide
  • ThreeByte, backdoor
  • Waterspout, backdoor
  • all variants of same backdoor, differ to avoid detection
  • enable persist presence and surveillance
  • Mswab
  • Gh0st
  • ShowNews
  • 3001

Preferred Attack Vector: Spear-phishing

TTP:

  • binary exes disguised as screensavers and PDFs
  • exploit CVE-2012–0158

Unique: Changes tools after public exposure

<- Chinese Advanced Persistent Threat Groups


Originally published at artofthehak.com.