Introduction
APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.
Activities and Tactics
Targeted Sectors: Pharmaceuticals, Healthcare, Construction, Aerospace, Defense industrial base
Country of Origin: 🇨🇳 China
Suspected Victims: United States
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- RemoteCMD
- CyberGate
- Cyber Eye RAT
- Remote Utilities
- RemotePC
- Trochilus RAT:
- PlugX:
- EvilGrab:
- 3102 variant of 9002 RAT:
- Poison Ivy:
- BIGJOLT:
- FUNRUN:
- GH0ST:
- HOMEUNIX:
- JIM A:
- PHOTO:
- SKINNYGENE:
- SOGU:
- VICEROY:
- VIPSH ELL:
- WETHEAD:
- XDOOR:
- ZXSHELL:
Attribution and Evidence
Country of Origin: China Additional attribution information pending cataloguing.
References
References pending cataloguing.