|Names||APT22 (Fireeye), Barista, Group 46 (Talos), Suckfly (Symantec), BRONZE OLIVE (Secureworks)|
|Date of initial activity||2014|
|Suspected attribution||CTU researchers assess with moderate confidence that the group operates on behalf of China.|
|Motivation||Information theft and espionage|
|Associated tools||Angryrebel, DestroyRAT, PlugX, TCP/ICMP RAT|
APT22 – BRONZE OLIVE (also referred to as SuckFly) conducted a long-running espionage campaign against Indian government and commercial organizations between early 2014 and mid-2015. The group used a range of commodity and custom tools combined with stolen certificates from a South Korean mobile operator to carry out their intrusions.
Focused on biomedical, pharmaceutical, and healthcare organizations in the past, and continues to be active. BRONZE OLIVE’s interest appears to be focused also around commercial and government entities based in India.
APT22 threat actors have used strategic web compromises in order to passively exploit targets of interest. APT22 actors have also identified vulnerable public-facing web servers on victim networks and uploaded webshells to gain access to the victim network.
How they work
PlugX is a fully featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell. The malware payload was typically delivered via a phishing campaign, either as an attached self-extracting RAR (SFX) archive, link to an archive, or embedded in a weaponized document. This archive contains three files that make up the PlugX components.