Threat Actor Profile
Aliases: Leviathan, TEMP.Jumper, TEMP.Periscope, APT 40
Key Target Sectors: Transportation, Government / Military, Educational, InformationTechnology, Communication, Manufacturing, Enterprise Services
Attack Vectors: Spam Email, Spear phishing, Phishing, and Luring.
Target Region: Western Europe, North America, South-East Asia
Malware Used: ScanBox, WindTone, Grillmark, BlackCoffee, Gh0st, China Chopper, WilDelk, FreshAir, KorPlug, HomeFry, RedMage, FieldGoal, RedMage, AirBreak, Js Spy, Murkytop, Beacon, Murkyshell, Orz, LunchMoney, and NanHaiShu.
Tools Used: PaperRush, Photo
Vulnerabilities Exploited: CVE-2017-0199, CVE-2012-0158, CVE-2017-11882, and CVE-2017-8759
APT40 is a cyberespionage threat group linked to the Chinese government, known for targeting critical technologies and traditional intelligence firms in North America, Europe, and East Asia. The group is conducting cyber operations since at least 2013, and its espionage activities mostly support China’s naval modernization attempt. This cyberespionage group was previously reported as TEMP.Periscope and TEMP.Jumper. Most recently, in early-2019, it was again seen attempting to steal secrets related to advanced technology to support the development of Chinese naval capabilities.
Which organizations has the group targeted?
Since 2013, the cyberespionage group has been targeting engineering, transportation, and defense sectors, along with a specific interest in maritime technologies. In Dec. 2016, China’s People Liberation Army Navy (PLAN) seized a U.S. Navy’s Unmanned Underwater Vehicle (UUV) serving in the South China Sea. The cyber event paralleled China’s actions in cyberspace. Within a year, the group was observed disguising as a UUV manufacturer and was observed targeting universities engaged in marine research. More recently in early 2019, specific targeting of countries strategically crucial to the Belt and Road Initiative has been observed. The group also targets China’s neighbourhood countries for traditional intelligence, particularly organizations that are having operations in Southeast Asia or associated in South China Sea disputes.
What is their motivation behind the attacks?
The group is focused on targeting countries critical to China’s Belt and Road Initiative (i.e., Cambodia, Belgium, Germany, Hong Kong, Philippines, Malaysia, Norway, Saudi Arabia, Switzerland, the United States, and the United Kingdom). The cyberespionage group also targeted universities and research centers involved in marine research, mostly from the USA. This was done with the intent to access advanced technology to accelerate the growth of the Chinese maritime industry. These attacks on the naval research firms ultimately support China’s dream to establish a blue-water navy in South-China sea.
This group has been observed using multiple methods for initial compromise, including web server exploitation, strategic web compromises, phishing campaigns delivering backdoors, both publicly available as well as custom made. The group mostly relies on web shells for an initial foothold inside the targeted organization. A web shell can give regular access to victim’s environments, enable lateral movement, and re-infect victim systems if required. The spear phishing emails usually use malicious attachments, although malicious Google Drive links have also been observed. In these phishing campaigns, the group has been observed using vulnerabilities like CVE-2012-0158, CVE-2017-0199, CVE-2017-8759, and CVE-2017-11882, within days of their disclosure.
For APT40, successful completion of an operation usually means transferring and gathering information out of the target network, which may include moving files via many systems before reaching the destination. It consists of the process where consolidated files are obtained from victim networks, and the data is compressed and encrypted using an archival tool rar.exe before exfiltration. The group also developed a tool named as "PaperRush" to improve the efficiency of their data theft and targeting tasks.
Known tools and malware
The group is known to be using various first-stage backdoors, custom malware, publicly available reconnaissance tools to carry out their cyber operations. Such tools include ScanBox, WindTone, Grillmark, BlackCoffee, Gh0st, WilDelk, KorPlug, HomeFry, RedMage, FieldGoal, RedMage, Eviltech, and Js Spy. This group also uses genuine software within the victim environment (RDP, SSH), publicly available tools (MurkyShell, MurkyTop), an array of native Windows capabilities, as well as custom scripts to accomplish internal reconnaissance. For lateral movement, the group uses native Windows utilities such as net.exe (a network resources management tool) and at.exe (a task scheduler). For initial foothold, the group also use first-stage backdoors such as AirBreak, FreshAir, Photo, BadFlick, China Chopper, and Beacon, and targets VPN and remote desktop credentials. At later stages, for privilege escalation and password hash dumping, the group uses custom and publicly available credential harvesting tools like HomeFry, Windows Credential Editor (WCE), and Windows Sysinternals ProcDump.
Malicious programs used by APT40
- BlackCoffee - A backdoor that targets the Windows platform-based systems.
- Gh0st - A Trojan horse developed to target Windows-based system.
- Orz - A Trojan that comes hidden in malicious programs.
- NanHaiShu - A remote access tool and JScript backdoor used by APT40.
- China Chopper - A 4KB Web-shell used by Chinese and other malicious threat actors.
- KorPlug - A Trojan horse that opens a back door and may steal details from the compromised computer.
- HomeFry - A 64-bit Windows password dumper/cracker that has previously been used in conjunction with AirBreak and BadFlick backdoors.
- FreshAir - A malicious program used by APT40 for an initial foothold in the targeted organization.
- RedMage, FieldGoal, and Grillmark - Backdoors used by APT40 for an initial foothold in a targeted organization.
- BadFlick - A backdoor that can modify the file system, generate a reverse shell, and its command and control (C2) configuration.
- LunchMoney - An uploader that can exfiltrate files to Dropbox.
- Murkyshell - A custom malware, known to be used by APT40.
Known Commercial/Open Source Tools used by APT40
- Beacon - A backdoor that is commercially available as part of the Cobalt Strike software platform.
- Murkytop - A command-line reconnaissance tool to execute files as a different user.
- WindTone and WilDelk- Command-line reconnaissance tools known to be used by APT40.
Custom tools used by APT40
- PaperRush - It is used to improve the efficiency of data theft and targeting activities.
- Photo - A DLL backdoor, also known publicly as Derusbi
Known zero-day vulnerabilities exploited by APT40
- MSCOMCTL.OCX RCE Vulnerability (CVE-2012-0158) - A remote code-execution vulnerability in the Microsoft Office.
- WordPad Remote Code Execution Vulnerability (CVE-2017-0199) - A remote code-execution vulnerability in Microsoft Office/Wordpad.
- .NET Framework Remote Code Execution Vulnerability (CVE-2017-8759) - A remote code-execution vulnerability that allows an attacker to execute code remotely via a malicious document/application.
- Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882) - A memory-corruption vulnerability in the Microsoft Office.
The group’s targeted victims are linked to Chinese state interests, and various technical artifacts are supporting the fact that this actor is based in China. Also, the operational times of this group’s activities indicate that it is probably centered around China Standard Time (UTC +8). Many command and control (C2) domains linked with this group were initially registered by China-based domain resellers and had Whois records with Chinese location information, implying a China-based infrastructure procurement process. The group also used several Internet Protocol (IP) addresses placed in China to manage its operations. In one case, a log file recovered from an open indexed server exposed an IP address (112.66.188[.]28) located at Hainan, China. It was used to control the command and control node that was interacting with malware on victim machines. All of the logins to this C2 node were configured with Chinese language settings.
APT40 uses its custom tools and sophisticated malware, and to prevent such advanced threats, traditional anti-malware solutions may not be sufficient. It is recommended to implement an in-depth security model that assures URL filtering, behavior-based detection methods, and sandboxing. Using smart usage monitoring tools leveraging orchestration technology to detect any unusual behavior, prevent it, and contain it from impacting critical systems of organizations. Sharing of Strategic
and Tactical Threat Intelligence
with trusted partners, ISACs and regulatory bodies can also help organizations develop and practice shared strategies for combating such threats. To detect and prevent the sophisticated tactics of lateral movement, an enterprise-level security solution is a must to monitor both endpoint behavior and network traffic. It should be able to detect any signs of lateral movements inside the network and flag them for review by a security analyst.
Since the main focus of APT40 is to steal intellectual property, deploying data loss prevention (DLP) systems to monitor data-at-rest, data-in-motion, and data-at-end-points can help. Also, the implementation of advanced detection techniques to find malware, e.g., sandbox execution for analyzing malware can help prevent attacks from such threats. APT40 is also known to use spear phishing, which could be prevented by inculcating situational awareness among all employees along with phishing simulations, strict policies, and periodic refreshers that discourage unsafe behaviors. Given the prevalence of attacks used by APT40 that exploit known vulnerabilities, rigorous patch management, and vulnerability assessments practices are a must.
Indicators of Compromise
cdf6e2e928a89cbb857e688055a25e37a8d8b8b90530bd52c8548fb544f66f1f c7fa6f27ec4f4142ae591f2dd7c63d046431945f03c87dbed88d79f55180a46d 39c952c7e14b6be5a9cb1be3f05eafa22e1115806e927f4e2dc85d609bc0eb36