APT1
State-backed: China
Estimated time of origin: 2006
Target sectors: Information Technology, Aerospace, Public Administration, Satellites and Telecommunications, Scientific Research and Consulting, Energy, Transportation, Construction and Manufacturing, Engineering Services, High-tech Electronics, International Organizations, Legal Services Media, Advertising and Entertainment, Navigation, Chemicals, Financial Services, Food and Agriculture, Healthcare, Metals and Mining, Education.
Strategy : Utilities designed to steal email — GETMAIL and MAPIGET. Establishing C2
Malwares:
- AURIGA
- BANGAT
- [TROJAN.ECLTYS]
- [BACKDOOR.BARKIOFORK]
- [BACKDOOR.WAKEMINAP]
- [TROJAN.DOWNBOT]
- [BACKDOOR.DALBOT]
- [BACKDOOR.REVIRD]
- [TROJAN.BADNAME]
- [BACKDOOR.WUALESS]
Noteworthy:
- Similar mission as People’s Liberation Army (PLA’s) Unit 61398.
- Uses MS OS configured to display Simplified Chinese fonts with remote desktop.
- Uses HTran (HUC Packet Transmit Tool), a rudimentary connection bouncer, designed to redirect TCP traffic destined for one host to an alternate host.
- Personas: UglyGorilla, DOTA, SuperHard.
Reference
Mandiant - Exposing One of China’s Cyber Espionage Units