APT16 (G0023) is a China-based threat group that has launched spear phishing campaigns targeting Japanese and Taiwanese organizations.
Name: SVCMONDR (Kaspersky)
Location: China
Suspected attribution:
Date of initial activity:
Targets: Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries
Motivation: Espionage
Associated tools: ELMER, IRONHALO, SVCMONDR.
Attack vectors: Compromise Infrastructure – Server. APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.
How they work: Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that refer to as IRONHALO, or a backdoor that refer to as ELMER.
APT16 targeted Taiwanese media, suspected Chinese APT actors also targeted a Taiwanese government agency, sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website. It is possible, although not confirmed, that APT16 was also responsible for targeting this government agency, given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor.
