| Names | APT 5 (FireEye), Keyhole Panda (CrowdStrike), Bronze Fleetwood (SecureWorks) |
| Additional Names | TEMP.Bottle (iSight), TG-2754 (SecureWorks), Poisoned Flight (Kaspersky), Mulberry Typhoon (Microsoft), TABCTENG |
| Location | China |
| Date of initial activity | 2007 |
| Suspected attribution | China |
| Motivation | Information theft and espionage |
| Associated tools | Binanen, Comfoo, Gh0st RAT, Isastart, Leouncia, OrcaRAT, PcShare, Skeleton Key, SlyPidgin, VinSelf. |
Overview
APT5 has been active since at least 2007. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications.
As early as 2014, Mandiant Incident Response discovered APT5 making unauthorized code modifications to files in the embedded operating system of another technology platform.
In 2015, APT5 compromised a U.S. telecommunications organization providing services and technologies for private and government entities. During this intrusion, the actors downloaded and modified some of the router images related to the company’s network routers.
Also, during this time, APT5 stole files related to military technology from a South Asian defense organization. Observed filenames suggest the actors were interested in product specifications, emails concerning technical products, procurement bids and proposals, and documents on unmanned aerial vehicles (UAVs).
BRONZE FLEETWOOD is a threat group that CTU researchers assess with moderate confidence operates on behalf of China. The group has previously been observed using both the Leouncia and VinSelf tool kits to target organizations in the aerospace and communications sectors. The intent of the group is likely theft of information from targeted networks.
There is strong overlap between the tools and infrastructure used by BRONZE FLEETWOOD and a threat group publicly reported by Secureworks dubbed Comfoo.
Targets
Defense, High-Tech, Industrial, Technology, Telecommunications. Countries: Southeast Asia. Regional telecommunication providers, Asia-based employees of global telecommunications and tech firms, high-tech manufacturing, and military application technology in the U.S., Europe, and Asia.
Attack vectors
It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. The group uses malware with keylogging capabilities to specifically target telecommunication companies’ corporate networks, employees and executives. APT5 has shown significant interest in compromising networking devices and manipulating the underlying software that supports these appliances.
How they work
Leouncia is a powerful backdoor that is designed to take complete control over the infected machine. Similar to Vinself, Leouncia also uses HTTP to carry its custom obfuscated payload. Leouncia’s obfuscation techniques far more sophisticated than what found within Vinself.
Moreover, Leouncia tries its best to hide its presence from signature-based sensors. It generates its http communication randomly by using varying levels of system information in conjunction with Windows random number generation APIs. The result is that every instance of its C&C communication will be different from the previous one.
Indicators of Compromise (IOCs)
- IP addresses:
- 176.34.146.10
- 176.34.146.11
- 176.34.146.12
- 176.34.146.13
- 176.34.146.14
- Domain names:
- a.apt5.biz
- b.apt5.biz
- c.apt5.biz
- d.apt5.biz
- e.apt5.biz
- File hashes:
- 5482598005525873334
- 6682888614648030960
- 7883188223870288576
- 8183487833092546176
- 8283787442314803776
