|Names||APT9 (Mandiant), Nightshade Panda (CrowdStrike)|
|Additional Names||Group 27 (ASERT), FlowerLady (Context), FlowerShow (Context)|
|Date of initial activity||2013|
|Associated tools||Gh0st, ZXSHEL – 3102 RAT, 9002 RAT, EvilGrab RAT, MoonWind RAT, PlugX, Poison Ivy, Trochilus RAT|
APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field.
Energy, Government, Media, Utilities – Myanmar, Thailand, USA and Europe
APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spear phishing, valid accounts, as well as remote services for Initial Access.
On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies.
APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.
How they work
A new RAT that was undetectable at that time by most antivirus vendors. Named Trochilus, this new RAT was part of Group 27’s malware portfolio that included six other malware strains, all served together or in different combinations, based on the data that needed to be stolen from each victim.
This collection of malware, dubbed the Seven Pointed Dagger by ASERT experts, included two different PlugX versions, two different Trochilus RAT versions, one version of the 3012 variant of the 9002 RAT, one EvilGrab RAT version, and one unknown piece of malware, which the team has not entirely decloaked just yet.
During that campaign, the threat actor identified as Group 27 used watering hole attacks on official Myanmar government websites to infect unsuspecting users with the PlugX malware (an RAT) when accessing information on the upcoming Myanmar elections.
Indicators of Compromise (IOC)
- IP addresses:
- Domain names:
- File hashes: