|Names||APT16 (Mandiant), SVCMONDR (Kaspersky)|
|Date of initial activity||2015|
|Associated tools||ELMER, IRONHALO, SVCMONDR|
APT16 is a China-based threat group that has launched spear phishing campaigns targeting Japanese and Taiwanese organizations.
Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries
Compromise Infrastructure – Server. APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.
How they work
Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries.
Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that refer to as IRONHALO, or a backdoor that refer to as ELMER.
APT16 targeted Taiwanese media, suspected Chinese APT actors also targeted a Taiwanese government agency, sending a lure document that contained instructions for registration and subsequent listing of goods on a local Taiwanese auction website. It is possible, although not confirmed, that APT16 was also responsible for targeting this government agency, given both the timeframe and the use of the same n-day to eventually deploy the ELMER backdoor.