APT12
ID: G0005
ⓘ
Associated Groups: IXESHE, DynCalc, Numbered Panda, DNSCALC
Version: 2.1
Created: 31 May 2017
Last Modified: 30 March 2020
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1568 | .003 | 动态解析: DNS Calculation |
APT12 has used multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.[1] |
| Enterprise | T1203 | 客户端执行漏洞利用 |
APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).[2][3] |
|
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.[2][3] |
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
APT12 has used blogs and WordPress for C2 infrastructure.[1] |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.[2][3] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0040 | HTRAN | [3] | Rootkit, 代理, 进程注入 |
| S0015 | Ixeshe | [4][2] | 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统服务发现, 系统网络配置发现, 输入工具传输, 进程发现, 隐藏伪装: Hidden Files and Directories |
| S0003 | RIPTIDE | [2] | 加密通道: Symmetric Cryptography, 应用层协议: Web Protocols |