| Names | APT4 (Mandiant), Maverick Panda (CrowdStrike), Wisp Team (Symantec), Sykipot Group (AlienVault) |
| Additional Names | TG-0623 (SecureWorks), Bronze Edison (SecureWorks), Samurai Panda |
| Location | China |
| Date of initial activity | 2009 |
| Suspected attribution | China |
| Motivation | Information theft and espionage |
| Associated tools | GETKYS, LIFESAVER, CCHIP, SHYLILT, SWEETTOOTH, PHOTO, SOGO |
Overview
APT4 appears to target the Defense Industrial Base (DIB) at a higher rate of frequency than other commercial organizations. However, APT4’s history of targeted intrusions is wide in scope.
APT4 actors often leverage spear phishing messages using U.S. government, Department of Defense, or defense industrial base themes. APT4 actors may repurpose valid content from government or U.S. DoD web sites within their message bodies to lend them legitimacy.
Targets
Aerospace and Defense, Industrial Engineering, Electronics, Automotive, Government, Telecommunications, and Transportation. Target selection tends to focus on Asia Pacific victims in Japan, the Republic of Korea, and other democratic Asian victims.
Attack vectors
APT4 actors often leverage spear phishing messages using U.S. government, Department of Defense, or defense industrial base themes. APT4 actors may repurpose valid content from government or U.S. DoD web sites within their message bodies to lend them legitimacy.
How they work
The implant delivered by Samurai Panda uses a typical installation process whereby they:
- Leverage a spearphish with an exploit to get control of the execution flow of the targeted application. This file “drops” an XOR-encoded payload that unpacks itself and a configuration file.
- Next, the implant, which can perform in several different modes, typically will install itself as a service and then begin beaconing out to an adversary-controlled host.
- If that command-and-control host is online, the malicious service will download and instantiate a backdoor that provides remote access to the attacker, who will see the infected host’s identification information as well as the campaign code.
Indicators of Compromise (IOC)
- IP addresses:
- 176.34.146.10
- 176.34.146.11
- 176.34.146.12
- 176.34.146.13
- 176.34.146.14
- Domain names:
- a.apt4.biz
- b.apt4.biz
- c.apt4.biz
- d.apt4.biz
- e.apt4.biz
- File hashes:
- 5482598005525873334
- 6682888614648030960
- 7883188223870288576
- 8183487833092546176
- 8283787442314803776
