APT22 – BRONZE OLIVE (also referred to as SuckFly) conducted a long-running espionage campaign against Indian government and commercial organizations between early 2014 and mid-2015. The group used a range of commodity and custom tools combined with stolen certificates from a South Korean mobile operator to carry out their intrusions.
Name: APT22 (Fireeye), Barista, Group 46 (Talos), Suckfly (Symantec), BRONZE OLIVE (Secureworks)
Location: China
Suspected attribution: CTU researchers assess with moderate confidence that the group operates on behalf of China.
Date of initial activity: 2014/15
Targets: Focused on biomedical, pharmaceutical, and healthcare organizations in the past, and continues to be active. BRONZE OLIVE’s interest appears to be focused also around commercial and government entities based in India.
Motivation: Espionage campaign
Associated tools: Angryrebel, DestroyRAT, PlugX, TCP/ICMP RAT
Attack vectors: APT22 threat actors have used strategic web compromises in order to passively exploit targets of interest. APT22 actors have also identified vulnerable public-facing web servers on victim networks and uploaded webshells to gain access to the victim network.
How they work: PlugX is a fully featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell. The malware payload was typically delivered via a phishing campaign, either as an attached self-extracting RAR (SFX) archive, link to an archive, or embedded in a weaponized document. This archive contains three files that make up the PlugX components.
