Introduction
APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. Dell Lateral Movement
Activities and Tactics
Targeted Sectors: Aerospace, Defense, Health, High tech, Telecoms, Government, Private sector, Civil society
Country of Origin: 🇨🇳 China
Risk Level: High
First Seen: 2016
Last Activity: 2016
Incident Type: Espionage
Suspected Victims: United States
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1078 Valid Accounts
- T1027.013 Encrypted/Encoded File
- T1133 External Remote Services
- T1070.004 File Deletion
- T1053.002 At
- T1105 Ingress Tool Transfer
- T1071.004 DNS
- T1082 System Information Discovery
- T1071.001 Web Protocols
- T1083 File and Directory Discovery
- T1059.003 Windows Command Shell
- T1547.001 Registry Run Keys / Startup Folder
ATT&CK technique IDs (denormalized)
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- SPACESHIP
- Hacking Team UEFI Rootkit
- FLASHFLOOD
- Xploit
MITRE ATT&CK Software
- hcdLoader (S0071) — malware
- gh0st RAT (S0032) — malware
- cmd (S0106) — tool
- Pisloader (S0124) — malware
- HTTPBrowser (S0070) — malware
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
[1] mitre-attack [6] Dell Lateral Movement Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. [7] Anomali Evasive Maneuvers July 2015 Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018. [8] ThreatStream Evasion Analysis Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.