##  


# Demonstrating Hustle, Chinese APT Groups Quickly Use Zero‐Day Vulnerability (CVE‐2015‐5119) Following Hacking Team Leak

[July 13, 2015 | By FireEye Threat Intelligence | Threat Intelligence, Threat Research](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-authors/cap-fireEye-threat-intelligence)

...

The FireEye as a Service team detected independent phishing campaigns conducted by two Chinese
advanced persistent threat (APT) groups that we track, APT3 and APT18. Each threat group quickly
took advantage of a zero­day vulnerability (CVE­2015­5119), which was leaked in the disclosure of
[Hacking Team’s internal data. Adobe released a patch for the vulnerability on July 8, 2015. Before](https://helpx.adobe.com/security/products/flash-player/apsb15-16.html)
that patch was released, the groups launched phishing campaigns against multiple companies in the
aerospace and defense, construction and engineering, education, energy, health and biotechnology,
high tech, non­profit, telecommunications, and transportation industries.


-----

information security community.

# APT3’s Campaign

**APT3 actors targeted at least 10 organizations in the following industries:**

Aerospace and Defense
Construction and Engineering
Energy
High Tech
Non­Profit
Telecommunications
Transportation

An example of an APT3 phishing email is below in Figure 1:

**FROM: "<first.last>" <first.last>@perrydale.com**

**SUBJECT: <Target> Analysis report­ 2015**

**URLs:**

hxxp://report.perrydale[.]com/ema/RR201507[.]pdf

hxxp://vic.perrydale[.]com/logo2.jpg

hxxp://rpt.perrydale[.]com/en/rep201507101[.]pdf

_Figure 1: An example of APT3 phishing email using CVE­2015­5119_

As of July 8, all three domains observed in the URLs resolved to 194.44.130.179. Similar to APT3’s
[activity in Operation Clandestine Wolf, the URLs redirect to JavaScript profilers and a malicious Adobe](https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html)
Flash file. The Flash file downloads an obfuscated GIF, which contains a SHOTPUT payload compiled
the day APT3 sent the phishing emails. SHOTPUT is a DLL backdoor that that communicates over HTTP
and may be capable of uploading or downloading files, managing processes, executing system
commands, and collecting system information. SHOTPUT may also be detected as
Backdoor.APT.CookieCutter. The SHOTPUT backdoor communicates to the following command and
control (CnC) addresses, which are hardcoded into the malware:

psa.perrydale[.]com
link.angellroofing[.]com
107.20.255.57
23.99.20.198

This is the third time since mid­2014 that we have observed APT3 using a zero­day, which attests to its
ability to capitalize on new exploits.

# APT18’s Campaign

**APT18 actors targeted at least 13 organizations in the following industries:**

Aerospace and Defense
Construction and Engineering
Education


-----

Telecommunications
Transportation

An example of an APT18 phishing email is shown in Figure 2:

**FROM: <various> @duwrt.com**

**SUBJECT: Important:Flash Update**

**Body:**

Dear,

If you already have Flash installed on your computer, you'll be asked to download and install
update. Once the new update is installed, Flash should function normally. Update Outlook Many
Flash problems can be solved by updating your client software to the latest version. Please verify
that you have all the latest updates available for your version of Adobe flash software. Here's how:

1.Download update hxxp://get[.]adobe[.]com/ (masked URL: hxxp://137.175.4[.]132/index.htm)

2.Click Check for Updates.

3.Restart your computer after you have verified that all updates are installed. You must have
administrative privileges on your computer to install any Flash. Please contact your desktop
support staff if you need assistance.

_Figure 2: An example of APT18 phishing email using CVE­2015­5119_

Once the victim clicks the URL, the system downloads a malicious Adobe Flash (.swf) file with the
properties shown in Figure 3.

Filename: movie.swf

MD5: 079a440bee0f86d8a59ebc5c4b523a07

Filesize: 214976

_Figure 3: APT18 Malicious SWF Properties_

Upon exploitation, a GH0ST RAT variant is delivered to the victims’ system, which calls out to a
previously known APT18 CnC address 223.25.233.248. GH0ST RAT is a backdoor derived from public
source code. It may also be detected as Backdoor.APT.Gh0stRat. The compiled source code provides
attackers with many ways to control a victim’s system, including the ability to create, manipulate, delete,
launch, or transfer files; perform screen or audio capture; enable a webcam; list or kill processes; open a
command shell; and wipe event logs. However, since the source code is public, threat groups may tailor
the code by removing or adding functionality.

# Comparing the Campaigns

APT3 and APT18 took a slightly different approach in employing the exploit, which demonstrates they
likely work independently. As usual, APT3 used compromised infrastructure, while APT18 relied on
procured infrastructure. APT3 used customized phishing emails that sometimes contained the names of
the targeted organizations, whereas APT18’s emails were nonspecific and likely crafted to be used on
multiple targets.


-----

# Opportunism

The groups demonstrated their adaptability and skill by quickly employing Hacking Team’s leaked zero­
day before the vulnerability was patched. Both groups likely monitor information from security research to
learn what exploits are available and how network defenders are reacting to them. We have previously
observed APT3 monitoring and quickly changing tactics based on public research. After we exposed
details about Operation Clandestine Wolf, APT3 changed its phishing emails, modified filenames, and
updated its backdoor.

In the past, APT3 and APT18 have frequently developed or adapted zero­day exploits for operations,
which were likely planned in advance. Using data from the Hacking Team leak demonstrates how they
can shift resources—selecting targets, preparing infrastructure, crafting messages, and updating tools—
to take advantage of unexpected opportunities like newly exposed exploits.

# Recommendations

FireEye maintains endpoint and network detection for CVE­2015­5119, the backdoors used in these
campaigns, and other tools used by these groups. Additionally, we highly recommend:

[Applying Adobe’s patch for Flash immediately,](https://helpx.adobe.com/security/products/flash-player/apsb15-16.html)
Querying for additional activity by source addresses or email indicators,
Blocking CnC addresses via outbound communications, and
Scope the environment to prepare for incident response.

[Note: IOCs for this campaign can be found here.](https://github.com/fireeye/iocs)

[This entry was posted on Mon Jul 13 09:31:00 EDT 2015 and filed under Advanced Persistent Threat,](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-tags/advanced-persistent-threat)
[Advanced Persistent Threat Detection, Advanced Persistent Threats, Blog, FireEye Threat Intelligence,](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-tags/advanced-persistent-threat-detection)
[Latest Blog Posts, Threat Intelligence and Threat Research.](https://www.fireeye.com/blog/threat-research.html/category/etc/tags/fireeye-blog-tags/latest)


-----

[Cyber Security Fundamentals](https://www.fireeye.com/current-threats/cyber-security-fundamentals.html)

[Careers](https://www.fireeye.com/company/jobs.html)

[Events](https://www.fireeye.com/company/events.html)

[Webinars](https://www.fireeye.com/company/webinars.html)

[Support](https://www.fireeye.com/support.html)

[Partners](https://www.fireeye.com/partners.html)

[Newsroom](https://www.fireeye.com/company/newsroom.html)

[Blog](https://www.fireeye.com/blog.html)

[Investor Relations](http://investors.fireeye.com/)


-----

[Contact Us](https://www.fireeye.com/company/contact-us.html)

[Communication Preferences](https://www2.fireeye.com/manage-your-preferences.html)

[Report Security Issue](https://www.fireeye.com/company/security.html)

[Supplier Documents](https://www.fireeye.com/company/supplier.html)

### Connect


##      


[Facebook](https://www.facebook.com/FireEye)

[LinkedIn](https://www.linkedin.com/company/fireeye)

[Twitter](https://twitter.com/fireeye)

[Google+](https://plus.google.com/+Fireeye/videos)

[YouTube](https://www.youtube.com/user/FireEyeInc)

[Glassdoor](http://www.glassdoor.com/Overview/Working-at-FireEye-EI_IE235161.11,18.htm)


Copyright © 2015 FireEye, Inc. All rights reserved.

[Privacy & Cookies Policy | Safe Harbor](https://www.fireeye.com/company/privacy.html)


-----