{ "id": "bb4bffd8-748b-4469-86d6-85d40e411d36", "created_at": "2026-04-06T00:18:56.44752Z", "updated_at": "2026-04-10T13:12:35.484063Z", "deleted_at": null, "sha1_hash": "938a0ac8cbd4415ece8db4acf6fcba6217b1cfce", "title": "APT cases exploiting vulnerabilities in region‑specific software", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3761608, "plain_text": "APT cases exploiting vulnerabilities in region‑specific software\r\nArchived: 2026-04-05 20:48:02 UTC\r\nShusei Tomonaga, Tomoaki Tani, Hiroshi Soeda \u0026 Wataru Takahashi\r\nJPCERT/CC, Japan\r\nTable of contents\r\nAbstract\r\nAPT attacks often leverage software vulnerabilities to infect victims with malware. Commonly targeted software\r\nincludes Microsoft Office, IE and Adobe Flash Player, all of which are in widespread use all over the world. On\r\nthe other hand, some APT attacks are carried out by exploiting vulnerabilities in region-specific software.\r\nGovernment agencies frequently use such localized software, and this tends to be the target of attackers. Such\r\nattacks are rarely discussed at international conferences as, by their nature, they relate exclusively to a particular\r\ncountry. In Japan, there have been many cases where attacks have been carried out by exploiting vulnerabilities in\r\nsoftware that is only used in Japan, using malware that is unique to Japan. In this paper, we will describe the TTPs\r\nof attack groups in recent years. We will also describe the APT groups exploiting vulnerabilities in local software.\r\nThis paper will provide insights into intelligence analysis and APT handling by looking at the attack\r\ncharacteristics (shellcode, malware, etc.) of different campaigns.\r\n1. Introduction\r\nVarious tactics, techniques and procedures (TTPs) are used by different attackers in order to trick victims into\r\nbecoming infected with malware. Particularly in APT attacks, highly sophisticated methods such as supply chain\r\nattacks, zero-day attacks, etc. are observed. Software that is in widespread use (e.g. Microsoft Office, IE, Adobe\r\nFlash Player) is often targeted in zero-day attacks. These types of software are installed on many hosts, making\r\nthem ideal entry points for malware.\r\nOn the other hand, there are other types of software that are only used in specific countries. Hangul Word\r\nProcessor (HWP) in South Korea and Ichitaro in Japan are examples. Such software is often targeted and\r\nleveraged in attacks against a specific country. There are reported cases in which HWP has been leveraged for\r\nAPT attacks [1]. It is important to understand such attack cases in order to determine appropriate countermeasures.\r\nThis research is intended to document and share examples of attacks in which region-specific software is\r\nleveraged.\r\nIn Japan, there are many cases where attacks have been carried out by exploiting vulnerabilities in software that is\r\nonly used within the country. JPCERT/CC has been involved in the incident handling and investigation of many of\r\nthe cases. In this paper, we will describe the details of these attacks by APT groups in recent years. In particular,\r\nattacks involving three types of software will be discussed:\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 1 of 31\n\nSanshiro\r\nIchitaro\r\nSKYSEA Client View\r\nSanshiro is a spreadsheet program used in Japan, similar to Excel. Attackers leveraged a vulnerability in this\r\nprogram to attach a malicious file to an email, which infected the user with the PlugX malware. Ichitaro is a\r\nWord-like application used in Japan. APT groups leveraged a vulnerability in this program to attach a malicious\r\ndocument file to an email, which infected the user with PlugX. We have confirmed that this vulnerability was\r\nleveraged in multiple APT campaigns. This zero-day attack is a peculiar case in which two different APT groups\r\nconducted attacks at the same time. SKYSEA is a popular asset management (SAM) solution in Japan. An attack\r\ngroup known as ‘Tick’ infects clients with multi‑platform malware by leveraging a vulnerability in the software\r\nremotely. This attack has been observed as of 2019, and the attack pattern continues to change. We will also\r\nsummarize other TTPs deployed by these APT groups.\r\n2. Attack exploiting Sanshiro’s vulnerability\r\n2.1 Summary of the vulnerability\r\nSanshiro is a spreadsheet program which is widely distributed in Japan. The file extension of Sanshiro is ‘jsd’.\r\nThe latest major version of the program was released in 2010, and it ceased to be sold in 2014. It was mainly used\r\nin the Japanese government and education sector. The Sanshiro series contains a vulnerability that allows arbitrary\r\ncode execution (CVE-2014-0810 [2]), which was leveraged as a zero-day exploit [3] by APT actors against\r\nJapanese government agencies.\r\n2.2 Delivery of the zero-day exploit\r\nThe APT group delivered the zero-day exploit code via a spear-phishing email sent to Japanese government\r\nagencies (Figures 1 and 2). The email contained a new year greeting and a decoy document with the zero-day\r\nexploit attached.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 2 of 31\n\nFigure\r\n1: The spear-phishing email.\r\nFigure 2: The decoy image.\r\nDetail of CVE-2014-0810 (JVNDB-2014-000011)\r\nThe Sanshiro software contains a component file which has a copy processing error. The vulnerability originates\r\nin its lack of data size validation and allows overwriting of the return address of the stack frame. As a result,\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 3 of 31\n\narbitrary code can be executed on the stack frame. This vulnerability was leveraged to embed shellcode in the\r\nSanshiro document. In the case of the APT attack, the shellcode was then executed through the exploit.\r\nThe following software is affected by CVE-2014-0810:\r\nSanshiro 2007 before update 3\r\nSanshiro 2008 before update 5\r\nSanshiro 2009 before update 6\r\nSanshiro 2010 before update 6\r\nSanshiro Viewer before 2.0.2.0\r\nThe shellcode searches for the encrypted binary embedded in the Sanshiro document. It then decodes the binary\r\nwith a single-byte XOR routine, writes a PE binary to the file system, and executes it. The bundled PE file was\r\nPlugX [4].\r\nFigure 3:\r\nSingle-byte XOR decode routine.\r\n2.3 The bundled malware with the exploit\r\nIn actual attack cases, a malicious Sanshiro document which delivers PlugX was attached to a spear-phishing\r\nemail. PlugX is a remote access tool (RAT), and infected devices were communicating with a certain C\u0026C server.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 4 of 31\n\nFurther analysis revealed that PlugX had also been used in some past attacks in combination with other\r\nvulnerability exploits such as Adobe Flash, Microsoft Word and Ichitaro. As shown in Figure 4, each PlugX\r\nsample was communicating with a C\u0026C server with a different domain name. However, it turned out that the\r\ndomain names all resolved to the same IP address. From the characteristics, it seems as if the series of attacks\r\nusing PlugX had been conducted by the same actor.\r\nFigure 4: PlugX samples connect to 103.246.112.123.\r\n2.4 Attack timeline\r\nThe actor had developed the Sanshiro exploit and used it before the vulnerability was disclosed in January 2014.\r\nJPCERT/CC has observed several spear-phishing emails from the same actor since at least 2013. They used\r\nvarious exploits such as Adobe Flash (CVE-2011-2462 [5]), Microsoft Office Word (CVE-2012-0158 [6]) and\r\nIchitaro (CVE-2013-5990 [7]). In the case of Ichitaro, the actor leveraged the vulnerability as a zero-day exploit.\r\nIn January 2014, the developer of Sanshiro released a patch [8] and disclosed the vulnerability. Considering the\r\nfacts, the actor is believed to be highly skilled in developing the exploit and researching the vulnerability of local\r\nJapanese software such as Sanshiro and Ichitaro.\r\nDate Note\r\nApril 2013 Spear-phishing mail with MS Office exploit (CVE-2012-0158)\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 5 of 31\n\nMay 2013 Spear-phishing mail with Adobe pdf exploit (CVE-2011-2462)\r\nSeptember 2013 Spear-phishing mail with Ichitaro zero-day exploit (CVE-2013-5990)\r\nNovember 2013 Disclose CVE-2013-5990 and, release the update patches of Ichitaro series\r\nNovember 2013 Spear-phishing mail with Ichitaro exploit (CVE-2013-5990)\r\nDecember 2013 Spear-phishing mail with Sanshiro zero-day exploit (CVE-2014-0810)\r\nJanuary 2014 Disclose CVE-2014-0810 and, release the update patches of Sanshiro series\r\nTable 1: Exploits used by the actor.\r\n3. Attack exploiting Ichitaro’s vulnerability\r\n3.1 Summary of Ichitaro\r\nIchitaro is a popular Japanese word-processing program, first released in 1983. It has been widely used in\r\ngovernment agencies as well by the general consumer market. In spite of its popularity, however, a number of\r\nvulnerabilities have been found in this product, some of which have been leveraged in targeted attacks. Table 2\r\nshows the vulnerabilities that have been leveraged in targeted attacks. The next section will describe CVE-2014-\r\n7247, which has been exploited in many attack cases.\r\nPublished CVE Overview CVSSv2\r\n2014/11/13 CVE-2014-7247 Arbitrary Code Execution (ACE) 9.3\r\n2013/11/12 CVE-2013-5990 Arbitrary Code Execution (ACE) 9.3\r\n2013/06/18 CVE-2013-3644 Arbitrary Code Execution (ACE) 9.3\r\n2013/02/26 CVE-2013-0707 Arbitrary Code Execution (ACE) 6.8\r\n2011/06/16 CVE-2011-1331 Arbitrary Code Execution (ACE) 9.3\r\n2010/11/04 CVE-2010-3916 Arbitrary Code Execution (ACE) 9.3\r\n2010/11/04 CVE-2010-3915 Arbitrary Code Execution (ACE) 9.3\r\n2010/06/01 CVE-2010-2152 Arbitrary Code Execution (ACE) 9.3\r\n2010/04/12 CVE-2010-1424 Arbitrary Code Execution (ACE) 9.3\r\nTable 2: Ichitaro vulnerabilities used in targeted attacks.\r\n3.2 CVE-2014-7247\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 6 of 31\n\nCVE-2014-7247 was exploited as a zero-day vulnerability. The attack was carried out through targeted emails\r\nwhich were distributed to government agencies and enterprises in Japan. The emails were crafted to convince\r\nrecipients to open the attachment, which contained an Ichitaro document leveraging the CVE-2014-7247\r\nvulnerability. Figures 5 and 6 show the email contents and the decoy document.\r\nFigure\r\n5: The spear-phishing email.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 7 of 31\n\nFigure 6: Decoy document to be displayed.\r\nSummary of the vulnerability\r\nCVE-2014-7247 is a vulnerability that causes a stack overflow due to a failure in copy processing called from\r\nJCXCALC.DLL, one of the component files in Ichitaro, that allows writing of an excessive amount of data in the\r\nlocal static array. As a result, the return address on the stack can be altered to an arbitrary value. By leveraging this\r\nvulnerability, attackers can execute shellcode on the stack.\r\nDetail of the shellcode\r\nThe shellcode consists of two sets of code. The first set of code searches for the second set embedded in the\r\nIchitaro file loaded in the memory. The second code decodes the shellcode with XOR (Figure 7). The decoded\r\nshellcode extracts and executes the malicious program embedded in the Ichitaro file (PE image). The following\r\ntypes of malware are executed, as confirmed by JPCERT/CC.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 8 of 31\n\nEmdivi\r\nPlugX\r\nAgtid\r\nFigure 7: XOR decode processing.\r\nDetails of the malware\r\nEmdivi\r\nEmdivi is a bot that communicates via HTTP protocol. The malware versions are managed systematically by the\r\ndeveloper, and there are occasional functional updates. Among these, versions t17, t19 and t20 have outstanding\r\ncharacteristics. These versions seem to be used in different phases of the attack: t17 for initial intrusion, and t19\r\nand t20 during the incubation period. t17 contains about 10 commands, which perform file download/upload and\r\nevent log deletion. t20 is a more advanced HTTP bot and contains up to 40 commands. It has self-camouflage\r\nfunctions such as hard-coding IP addresses of victims’ proxy servers and running on certain devices only [9].\r\nAgtid\r\nAgtid is a bot that communicates via HTTP protocol. It performs basic functions such as file operations and\r\ndownloading/executing files. One of its features is that its communication contains the string ‘Agtid’ in the HTTP\r\nrequest header. It also contains the string ‘DGGYDSYRL’, as described by FireEye [10].\r\nThe following is an example of the communication that Agtid performs:\r\nPOST /info.asp HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nAgtid: [16 bytes of hex]08x\r\nUser-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)\r\nHost: 180.150.228.102:443\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 9 of 31\n\nContent-Length: [data size]\r\nCache-Control: no-cache\r\n[16 bytes of hex]08x\u0026[Encrypted string]\r\n3.3 Threat actor\r\nIn this section we will examine the actors who conducted attacks leveraging CVE-2014-7247 based on the\r\nmalware compile time and file property information. The compile time of the malware used by the attackers is\r\nshown in Figure 8. It shows that PlugX was created between 2014/11/3 and 2014/11/6. Emdivi was also created\r\nbetween the same dates. It is clear that the two types of malware were created during the same time period. For\r\nAgtid, the compile time was set to 1970/1/1 (Unix time number 0), and the attack using the malware was observed\r\non 2014/11/7. Two weeks after the attack was confirmed, the vendor released a patch for Ichitaro.\r\nFigure 8: Timeline.\r\nIchitaro document  \r\nWindows\r\nbinary\r\n   \r\nFilename Author Filename Family Compile time\r\n概要と評価.jtd gfz-l windump.exe Emdivi\r\n2014/11/03\r\n2:32\r\n日米外安全保障政策20141106(未定\r\n稿).jtd\r\nWindows ユー\r\nザー\r\nwindump.exe PlugX\r\n2014/11/03\r\n3:01\r\n沖縄振興特別措置法のあらまし.jtd gfz-l windump.exe PlugX\r\n2014/11/04\r\n9:19\r\n石油技術開発 調査事業成果報告\r\n書.jtd\r\ngfz-l windump.exe PlugX\r\n2014/11/04\r\n10:15\r\n★合体版.jtd gfz-l windump.exe Emdivi\r\n2014/11/05\r\n12:15\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 10 of 31\n\n悪質な資格講座の電話勧誘に御注\r\n意!!.jtd\r\ngfz-l windump.exe Emdivi\r\n2014/11/06\r\n4:20\r\n健康保険のお知らせ.jtd gfz-l windump.exe Emdivi\r\n2014/11/06\r\n4:55\r\n有識者懇談会報告書.jtd gfz-l windump.exe PlugX\r\n2014/11/06\r\n11:20\r\nTable 3: Detailed timeline.\r\nThe file properties of the malware are listed in Table 3. We can see similarities in the file properties. One is that\r\nthe author of the Ichitaro document file (Figure 9) is the same. Also, the file name of the malware itself is\r\nidentical. Based on the similarity between the files and the timeline of the zero-day exploit, it is assumed that the\r\nattackers who used Emdivi and PlugX are the same. They are referred to as ‘Blue Termite’ by Kaspersky [11] and\r\nothers. In addition, attack activities using Agtid (referred to as ‘APT17’ by FireEye [12] and others) were observed\r\nsoon after the Blue Termite campaign. In this way, it is suggested that CVE-2014-7247 had been leveraged as a\r\nzero-day by these two actors.\r\nFigure 9: Ichitaro document - author.\r\nC\u0026C server\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 11 of 31\n\nA backdoor was installed in the C\u0026C servers used in Blue Termite. It was created based on ASP and PHP. The\r\nfollowing backdoor has been confirmed:\r\nDST Asp站長檢測Tools (Figure 10)\r\nAnti-shell (Figure 11)\r\nSpider PHP shell\r\nX14ob-Sh3ll\r\nThe backdoor’s functions include file upload, download and execution.\r\n Figure\r\n10:DST Asp站長檢測Tools (ASP).\r\n \r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 12 of 31\n\nFigure 11: Anti-shell (PHP).\r\n4. Attack exploiting SKYSEA Client View’s vulnerability\r\n4.1 Summary of the vulnerability\r\nSKYSEA Client View is a popular piece of asset management (SAM) software in Japan. The software had a\r\nvulnerability (CVE-2016-7836 [13]) that allowed remote code execution due to a flaw in processing\r\nauthentication on the TCP connection with the management console program. This vulnerability was zero-day-exploited by the APT group BRONZE BUTLER [14] (also known as ‘Tick’).\r\nThis software is only used in networks that are protected by a firewall and is not subject to remote exploit attacks.\r\nHowever, if it is installed on a laptop PC, it may run on a global IP address via a mobile hotspot. In such cases, it\r\nwill be exposed to the risks of remote exploit attack.\r\nWhen the remote exploit attack is successful, the following file is created and executed on the PC:\r\nC:\\Program Files\\Sky Product\\SKYSEA Client View\\tmp\\00000001.BIN\r\nThe attacker can infiltrate the network through the infected PC and spread the infection to other hosts on the\r\nnetwork.\r\n4.2 Attack timeline\r\nBRONZE BUTLER used watering hole attacks (e.g. Adobe Flash Player zero-day exploit) as its main attack\r\nmethod until 2016, however, since late 2016 it has shifted to attacks that leverage the above vulnerability. The\r\nattack started in June 2016 and continued until February 2019. Figure 12 shows the behaviour related to this attack\r\nactivity based on observations in the traffic monitoring system operated by JPCERT/CC.\r\nThe activity went quiet temporarily in October 2017, but resumed on 15 March 2018. The same vulnerability is\r\nbeing leveraged for the entire period. The scan activity is only observed on the sensors placed in Japan, indicating\r\nthat the attacker is targeting IP addresses allocated to Japan.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 13 of 31\n\nFigure 12: Scan count attempting to leverage a vulnerability in SKYSEA Client View (Observation using\r\nTSUBAME1).\r\n4.3 Malware infections exploiting this vulnerability\r\nThe following three types of malware are used in this attack:\r\nWali\r\nSmall downloader\r\nNodeRAT\r\nWali [15] was used from 2016 to May 2017, and another small downloader was used from around July 2017.\r\nBefore March 2018, the attackers used to leverage Wali and the small downloader in order to spread xxmm [16]\r\nand Datper [17], however, the distributed malware changed to another kind after that.\r\nWali\r\nWali is a downloader similar to xxmm. Like xxmm, this malware uses Reflective DLL Injection based on Stephen\r\nFewer’s GitHub code [18]. The pattern of configuration data is also the same (see Figure 13). This malware also\r\nhas the ability to execute PowerShell commands. When a host is infected by Wali, the attacker sends an encoded\r\nPowerShell command to collect information about the host. Figure 14 is an example of a decoded PowerShell\r\ncommand. This command results in the host name, OS version, IP address, username etc. being sent to a C\u0026C\r\nserver.\r\nAfter executing the PowerShell commands, the attacker downloads xxmm, etc.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 14 of 31\n\nFigure 13: Wali (left) and xxmm (right) configuration data patterns.\r\nFigure 14: Received PowerShell commands.\r\nSmall downloader\r\nDue to the fact that Wali’s behaviour has been analysed and its details published in many reports by security\r\nvendors, BRONZE BUTLER stopped using it and changed to another downloader. This downloader only has the\r\nfunction to download and execute PE files. When the malware is executed, it downloads Base64-encoded xxmm.\r\nThis Base64-encoded data deletes the MZ signature, and six bytes of data, ‘TVqQAA’ (MZ signature in Base64),\r\nare added before decoding. Figure 15 shows the code used to decode the Base64 data.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 15 of 31\n\nFigure 15: Received Base64-encoded xxmm.\r\nNodeRAT\r\nNodeRAT is written in JavaScript and runs on Node.js. NodeRAT is a multi-platform malware which operates in\r\nany environment as long as Node.js is installed. This implies that the adversary targets macOS and others as well\r\nas Windows. Figure 16 is an example of source code that changes the command to execute depending on the\r\nenvironment. This malware operates according to the JSON configuration information as shown in Figure 17.\r\nTable 4 is the list of files that are created when a victim is infected with the malware. If a remote exploit attack\r\nsucceeds, node.exe will be installed because Node.js is not on Windows OS.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 16 of 31\n\nFigure 16: app.js source code.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 17 of 31\n\nFigure 17: NodeRAT\r\nconfiguration file.\r\nFile/folder name Description\r\napp.js Malware itself\r\nnode.exe Node.js\r\nflash.vbs Script to execute app.js\r\nconfig.regeditKey.rc Registry entry information\r\nconfig\\auto.json File to temporarily save configuration\r\nconfig\\app.json Communication destination\r\ntools\\getProxy.exe Tool to obtain proxy information\r\ntools\\uninstaller.exe Tool to uninstall malware\r\nTable 4: Files created when infected2.\r\n4.4 Attack infrastructure\r\nThe remote attack had several attributes corresponding with the attacker’s infrastructure. The attributes will be\r\nillustrated below.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 18 of 31\n\nAttacking IP address\r\nAlthough the remote exploit attack lasted a long time, only the three IP addresses listed below were used. In\r\nparticular, 180.150.227.72 was used in many cases:\r\n107.189.139.237\r\n180.150.227.72\r\n27.255.84.171\r\nC\u0026C server\r\nCompromised websites were used as C\u0026C servers in this attack, with ChinaChopper [19] installed as a backdoor.\r\nThis C\u0026C panel, to which malware is connected, is created in PHP. The data sent from the malware is stored on\r\nthe server, but the C\u0026C panel does not decrypt the data because there is no decryption key. The attackers also\r\nconnect to the C\u0026C panel in order to download data. Figure 18 shows the source code for the xxmm and Datper\r\nPHP panels – there are similarities in the features. The victim IP addresses connected to the C\u0026C panel are from\r\nKorea, USA and Japan.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 19 of 31\n\nFigure 18: xxmm C\u0026C panel source code (left: xxmm, right: Datper).\r\nThe file ‘index_old.php’ was embedded by the attackers in many of the C\u0026C servers. This PHP file is loaded on\r\nan infected website (Figure 19) and records the IP address and User-Agent of the users accessing the site in\r\n‘htaccess.log’ (Figure 20). It is likely that BRONZE BUTLER selects an attack target based on these access logs.\r\nWe observed many cases in which ‘index_old.php’ was embedded on Japanese websites.\r\nFigure 19: Infected website loading index_old.php.\r\nFigure 20: Access log recorded in htaccess.log.\r\n5. Discussion of APT campaigns targeting Japan\r\nThe chart shown in Figure 21 describes the timeline of APT campaigns that targeted Japanese organizations.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 20 of 31\n\nAs for the campaign conducted by APT10, spear-phishing emails were distributed to Japanese organizations in\r\nOctober 2016. The campaign is referred to as ‘Operation Cloud Hopper’ by PwC [20]. Different types of malware,\r\nsuch as ChChes [21] and RedLeaves [22], were used in the campaign. The spear-phishing emails impersonated a\r\nspecific individual and were sent with a malware-embedded decoy document regarding international politics.\r\nMost of the emails were sent from free webmail services.\r\nBlackTech is an APT group that is associated with malware such as TSCookie [23] (also referred to as ‘PLEAD’\r\nby Trend Micro [24]). As an example, emails that impersonated the Ministry of Education, Culture, Sports,\r\nScience and Technology of Japan and that led to TSCookie infection were distributed in January 2018.\r\nIn the Winnti group’s attack campaign, code-signing certificates were stolen, which were used illegitimately to\r\nauthenticate malware and attack tools. The Winnti malware [25] used in the campaign has three file components:\r\nan installer, a loader (to load the malware), and the malware itself. From 2015 to 2016, a particular sector was\r\ntargeted by this campaign, which resulted in code‑signing certificates being stolen and Winnti malware infection\r\nin victim organizations.\r\nThis section describes the attack campaigns observed in Japan, which were conducted by the following APT\r\ngroups by leveraging the vulnerabilities described in Chapters 2 to 4.\r\nAPT17\r\nCloudy Omega / Blue Termite\r\nBRONZE BUTLER\r\nFigure 21: APT campaign timelines.\r\n5.1 APT17\r\nAttack timeline\r\nFrom August to September 2013, watering hole attacks leveraging a zero-day vulnerability in Internet Explorer\r\nwere observed. The August campaign is referred to as ‘Operation DeputyDog’ [26] and the September campaign\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 21 of 31\n\nas ‘Operation Ephemeral Hydra’ [27] (both by FireEye), and the series of attacks are considered to be related.\r\nIn 2014 through to 2015, malware that had been used in Operation DeputyDog was distributed by compromising\r\nsoftware updating systems (a so-called ‘supply chain attack’). IP addresses that were used in the supply chain\r\nattack in 2015 were also referred to in the IoCs associated with APT17 in a FireEye report [28].\r\nInitial access\r\nAPT17 actors used watering hole attacks and supply chain attacks as a means to gain initial access to victim\r\nnetworks.\r\nWatering hole attack\r\nThe watering hole attacks observed in August 2013 leveraged a zero-day vulnerability in Internet Explorer (CVE-2013-3893) [29] and eventually infected victims with Agtid (see section 3). The attacks observed in September\r\n2013 leveraged another zero-day vulnerability in Internet Explorer (CVE-2013-3918) [30]. In these cases, the\r\nPlugX malware, a plug-in-based bot known as McRAT and a tunnelling tool, Htran [31], were later found in the\r\nvictim’s environment.\r\nIn the watering hole attack observed in 2014, the domain registration information of a legitimate website had been\r\naltered so that the name resolution was performed on a DNS server that the attacker had configured. The server\r\nprocessed DNS queries only for certain subdomains according to the iptable’s rules, and other DNS queries were\r\ntransferred to a legitimate DNS server (Figure 22).\r\n Figure\r\n22: Domain name hijacking.\r\nSupply chain attack\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 22 of 31\n\nIn the supply chain attack, altered files on legitimate update servers or DNAT configuration changes in iptables\r\nresulted in software update requests being redirected to an illegitimate server (Figure 23). If the software update\r\ndownloaded from the malicious server was executed, the device was then infected with a downloader, and a bot\r\nprogram was installed. Analysis of an affected device revealed that it was also infected with several types of\r\nmalware such as Agtid, Derusbi [32] and BLACKCOFFEE [33].\r\nThe compromised update server was found embedded with the backdoor program ‘mod_rootme’ [34], which\r\noperates as an apache module. Mod_rootme can send HTTP requests with specific strings included so that the\r\nremote attacker can access the backdoor with root privileges. In addition, the ‘pam_unix.so’ module on the server\r\nwas also compromised, allowing any user to log in with a specific password and harvest credentials of legitimate\r\nusers who had logged into the service. .htaccess and iptables in the server used as an infrastructure were\r\nconfigured to accept access from the IP address range that belongs to the target organizations.\r\n Figure\r\n23: Update hijacking.\r\nLateral movement\r\nDevices that were infected with the bot program in the initial access phase were then remotely controlled by the\r\nattacker via commands provided from a C\u0026C server, and reconnaissance activities were conducted. In addition to\r\nthe standard Windows commands and Active Directory tools (e.g. dsget [35] and dsquery [36]) used to steal\r\nnetwork and Active Directory information, other tools for network scans, SQL server investigation and password\r\nhash dumps were also used. After harvesting the domain admin’s credentials, remote attackers gained access to the\r\ndomain controller using the pass-the-hash technique.\r\n5.2 Cloudy Omega / Blue Termite\r\nAttack timeline\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 23 of 31\n\nAccording to Symantec, the Emdivi malware, which is related to the APT campaigns referred to as ‘Cloudy\r\nOmega’ by Symantec and as ‘Blue Termite’ by Kaspersky, has been seen since 2011 [37].\r\nIn 2013, a compromised website was found embedded with a Java Applet which leverages a Java vulnerability\r\n(CVE-2011-3544) [38], resulting in Emdivi being downloaded to visitors’ devices (a drive-by download attack).\r\nFrom May 2014 to September 2015, spear-phishing emails leading to Emdivi infection were distributed to a\r\nnumber of organizations in Japan.\r\nInitial access\r\nSpear-phishing emails and a watering hole attack were the main attack vectors for initial access. In 2014 and 2015,\r\nnumerous spear-phishing emails impersonating a health insurance society were observed (Figure 24). Most of the\r\nemails had the Emdivi executable file attached, with a fake icon. Emails observed in November 2014 had a\r\ndocument attachment leveraging an Ichitaro vulnerability (CVE-2014-7247) (see section 3).\r\nIn July 2015, drive-by download attacks leading to Emdivi infection were confirmed. Attackers leveraged a zero-day vulnerability in Adobe Flash Player (which was disclosed by Hacking Team [39]) to spread malware.\r\n Figure 24: A\r\nspear-phishing email impersonating a health insurance society.\r\nLateral movement\r\nAfter successfully intruding into the target’s network through Emdivi-infected devices, attackers investigated the\r\nnetwork drive using standard Windows commands such as ‘net’ and ‘wmic’. When they found a file they wanted,\r\nthey compressed it with WinRAR and send it to a C\u0026C server using the Emdivi download command. The\r\ncompressed file was then deleted so that there would be no evidence.\r\nIn addition, attackers used Active Directory tools such as csvde [40] and dsquery to dump or search for\r\ncredentials. Vulnerabilities in the kernel-mode driver (CVE-2014-4113) [41] and Kerberos KDC (CVE-2014-\r\n6324) [42] were leveraged for privilege escalation, and tools such as Quarks PwDump [43], Mimikatz [44] and\r\nWindows Credential Editor [45] were used for credential harvesting.\r\nOnce the attackers had obtained domain admin credentials, they copied malware to other devices and registered\r\nthe task to execute it taking advantage of the privilege. Devices that were affected by the secondary infection had\r\na downloader installed, which was configured to communicate only on certain days of the week. Even if the first\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 24 of 31\n\naffected device was repaired or replaced, attackers were still able to distribute Emdivi to other infected devices\r\nthrough the downloader and were able to maintain a continuous presence on the victim’s network.\r\n5.3 BRONZE BUTLER / Tick\r\nAttack timeline\r\nSymantec reports that the attack campaign by BRONZE BUTLER (referred to as ‘Tick’ by Symantec) started\r\naround 2006 [46]. In 2015, watering hole attacks leveraging a zero-day vulnerability in Adobe Flash Player\r\n(disclosed by Hacking Team) were observed. Since 2016, scans targeting a vulnerability in asset management\r\nsoftware have been observed, which was still ongoing in 2018 (see section 4).\r\nInitial access\r\nWhile a watering hole attack was the major attack vector during 2014 and 2015, since 2016 the attack has begun\r\nwith scans targeting a vulnerability in asset management software. According to some public reports, spear-phishing emails were also used prior to 2014. The attackers attempt to infect victims with a downloader, such as\r\nWali, by leveraging a vulnerability so that an HTTP bot is downloaded from a C\u0026C server to the victim’s\r\nenvironment. Until early 2016 the HTTP bot used in the attack was Daserf; from mid-2015 to mid-2016 the\r\nDelphi version of Daserf was used, and after that it shifted to xxmm and Datper.\r\nLateral movement\r\nOnce the attackers had entered a victim’s network through a bot-infected device, they created batch files to collect\r\nnetwork environment information using standard Windows commands (e.g. dir, net, tasklist, ipconfig). Using the\r\nDomain Admin’s privilege, they executed the ‘net use’ command to connect to remote devices and send files with\r\n‘copy’ and ‘move’ commands. Other commands used were ‘at’ and ‘schtacks’ to register tasks, and ‘Psexec’ in\r\nWindows Sysinternals [47] to execute files.\r\nCollected information was compressed to a certain size using WinRAR and divided into pieces. After having been\r\nsent to an external server, it was deleted. The compressed file, including the header, was encrypted by WinRAR.\r\nEven if the file is recovered, the compressed contents cannot be retrieved unless the password is available. In\r\nsome cases, the attackers sent files to an external server using free file upload services.\r\nDuring the lateral movement phase, Mimikatz and Windows Credential Editor were used to harvest credentials\r\nand create golden/silver tickets. While a vulnerability in the SMBv1 protocol (MS17-010) [48] was addressed and\r\na patch was released in March 2017, a tool which exploits this vulnerability, known as ‘Double Pulsar’, was used\r\nfor lateral movement in April 2017.\r\nAttackers set up a VBScript-based downloader in a victim’s device to perform communication with a C\u0026C server\r\nonly once upon the user’s login. This way, the attackers were able to maintain access to the network for a while.\r\nConclusion\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 25 of 31\n\nIn this paper, we described targeted attacks against Japanese organizations exploiting three different zero-day\r\nvulnerabilities. The software in these cases is used only in Japan and is not distributed outside of the country.\r\nNevertheless, the APT groups investigated these software vulnerabilities and leveraged them for attacks. Unlike\r\nmore popular software, it is often the case that countermeasures against vulnerabilities in such region-specific\r\nsoftware are not well prepared. Attackers understand and aim at such weak points. In preparation for future APT\r\ncases, security countermeasures for local software also need to be considered. As well as supply chain attacks, the\r\ntargeting of local software vulnerabilities continues to be a problem. Details of attacks that target local software\r\nvulnerabilities are not usually available outside of the country in question, but ideally such information should\r\nalso be published in the future. Such information will help analysts to better understand the threat landscape in\r\ndifferent regions and could be useful in considering countermeasures against similar attacks in their own regions.\r\nReferences\r\n[1] Cha, M (J). VB2018 paper: Since the hacking of Sony Pictures.\r\nhttps://www.virusbulletin.com/virusbulletin/2018/11/vb2018-paper-hacking-sony-pictures/.\r\n[2] Japan Vulnerablility Note: JVNDB-2014-000011 Sanshiro Series vulnerable to arbitrary code execution.\r\nhttps://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000011.html.\r\n[3] Trend Micro security blog: Confirmed zero-day attack leveraging Japanese spreadsheet software “Sanshiro”\r\n(Japanese). https://blog.trendmicro.co.jp/archives/8529.\r\n[4] Haruyama, T.; Suzuki, H. I Know You Want Me – Unplugging PlugX. Black Hat Asia 2014.\r\nhttps://www.blackhat.com/docs/asia-14/materials/Haruyama/Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf.\r\n[5] Microsoft Security Bulletin: MS12-027 – Critical. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-027.\r\n[6] Adobe Security Advisories: APSA11-04 – Security Advisory for Adobe Reader and Acrobat.\r\nhttps://www.adobe.com/support/security/advisories/apsa11-04.html.\r\n[7] Japan Vulnerablility Note: JVNDB-2013-000103 Ichitaro series vulnerable to arbitrary code execution.\r\nhttps://jvndb.jvn.jp/en/contents/2013/JVNDB-2013-000103.html.\r\n[8] JustSystems Corporation: Possible execution of malicious program leveraging Sanshiro vulnerability\r\n(Japanese). https://www.justsystems.com/jp/info/js14001.html.\r\n[9] Attackers Target Organizations in Japan; Transform Local Sites into C\u0026C Servers for EMDIVI Backdoor.\r\nTrendLabs Security Intelligence Blog. https://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/.\r\n[10] Moran, N.; Villeneuve, N. Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese\r\nTargets. FireEye. https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-\r\n3893-attack-against-japanese-targets.html.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 26 of 31\n\n[11] Ishimaru, S. New activity of The Blue Termite APT. Securelist. https://securelist.com/new-activity-of-the-blue-termite-apt/71876/.\r\n[12] Hiding in Plain Sight: FireEye and Microsoft Expose Chinese APT Group’s Obfuscation Tactic. FireEye.\r\nhttps://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html.\r\n[13] JVNDB-2016-000249: SKYSEA Client View vulnerable to arbitrary code execution.\r\nhttps://jvndb.jvn.jp/en/contents/2016/JVNDB-2016-000249.html.\r\n[14] Secureworks: BRONZE BUTLER Targets Japanese Enterprises.\r\nhttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses.\r\n[15] Dahan, A. Cybereason: ShadowWali: New variant of the xxmm family of backdoors.\r\nhttps://www.cybereason.com/labs-blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors.\r\n[16] Ishimaru, S. Securelist: Old Malware Tricks To Bypass Detection in the Age of Big Data.\r\nhttps://securelist.com/blog/research/78010/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/.\r\n[17] Detecting Datper Malware from Proxy Logs. JPCERT/CC. https://blogs.jpcert.or.jp/en/2017/08/detecting-datper-malware-from-proxy-logs.html.\r\n[18] ReflectiveDLLInjection. GitHub. https://github.com/stephenfewer/ReflectiveDLLInjection.\r\n[19] China Chopper. MITRE ATT\u0026CK. https://attack.mitre.org/software/S0020/.\r\n[20] Operation Cloud Hopper. PwC UK. https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html.\r\n[21] ChChes – Malware that Communicates with C\u0026C Servers Using Cookie Headers. JPCERT/CC.\r\nhttps://blogs.jpcert.or.jp/en/2017/02/chches-malware--93d6.html.\r\n[22] RedLeaves – Malware Based on Open Source RAT. JPCERT/CC.\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html.\r\n[23] Malware “TSCookie”. JPCERT/CC. https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html.\r\n[24] Bermejo, L.; Huang, R.; Lei, CH. Following the Trail of BlackTech’s Cyber Espionage Campaigns. Trend\r\nMicro blog. https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/.\r\n[25] Winnti Analysis. Novetta. https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf.\r\n[26] Caselden, D.; Chen, X. Operation DeputyDog Part 2: Zero-Day Exploit Analysis (CVE‑2013-3893). FireEye.\r\nhttps://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-part-2-zero-day-exploit-analysis-cve-2013-3893.html.\r\n[27] Moran, N.; Omkar Vashisht, S.; Scott, M. Thoufique Haq Operation Ephemeral Hydra: IE Zero-Day Linked\r\nto DeputyDog Uses Diskless Method. FireEye. http://www.fireeye.com/blog/technical/cyber-https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 27 of 31\n\nexploits/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html.\r\n[28] fireeye/iocs/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc. GitHub.\r\nhttps://github.com/fireeye/iocs/blob/master/APT17/7b9e87c5-b619-4a13-b862-0145614d359a.ioc.\r\n[29] Microsoft Security Advisory 2887505. https://docs.microsoft.com/en-us/security-updates/securityadvisories/2013/2887505.\r\n[30] Microsoft Security Bulletin MS13-090 – Critical. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-090.\r\n[31] HTRAN. MITRE ATT\u0026CK. https://attack.mitre.org/software/S0040/.\r\n[32] Derusbi. Novetta. https://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf.\r\n[33] BLACKCOFFEE. MITRE ATT\u0026CK. https://attack.mitre.org/software/S0069/.\r\n[34] mod_rootme. GitHub. https://github.com/jingchunzhang/backdoor_rootkit/tree/master/mod_rootme-0.4.\r\n[35] Microsoft docs: Dsget. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc755162(v%3dws.11).\r\n[36] Microsoft docs: Dsquery. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v%3Dws.11).\r\n[37] Operation CloudyOmega: Ichitaro zero-day and ongoing cyberespionage campaign targeting Japan.\r\nSymantec. https://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan.\r\n[38] Oracle: Oracle Java SE Critical Patch Update Advisory – October 2011.\r\nhttps://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html.\r\n[39] Adobe Help Center: APSB15-16. https://helpx.adobe.com/security/products/flash-player/apsb15-16.html.\r\n[40] Microsoft docs: Csvde. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732101(v%3Dws.11).\r\n[41] Microsoft Security Bulletin MS14-058 – Critical. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-058.\r\n[42] Microsoft Security Bulletin MS14-068 – Critical. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-068.\r\n[43] Quarks PwDump. Quarkslab. https://blog.quarkslab.com/quarks-pwdump.html.\r\n[44] Mimikatz. GitHub. https://github.com/gentilkiwi/mimikatz.\r\n[45] Amplia Security: Research. http://www.ampliasecurity.com/research.html.\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 28 of 31\n\n[46] ick cyberespionage group zeros in on Japan. Symantec. https://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan.\r\n[47] Microsoft Docs: PsExec – Windows Sysinternals. https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.\r\n[48] Microsoft Security Bulletin MS17-010 – Critical. https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010.\r\nAppendix: IoCs\r\nSHA 256\r\nSection 2\r\nd35238d8847e757c09551fce51572a388d82ece7aadcb7d65284ae84bd2f22a8\r\n74b7b7eb372d1b345199f107ee8cc5476dfe4cacc9163c326b37155ccf97e9e9\r\n8e82b3531a9a6abfeb115dcbf952ac3d0cd8e7c6f39b6108f8be2e621f9f73fe\r\nb0ddac69576dfc1ebd02e195b29b19812547758043c13acd4ffa408f954bc7e2\r\nSection 3\r\nCVE-2014-7247 (Ichitaro document)\r\n920300763729a300863c5de1b3850f2ceac2c7688011d8423f80d3989dbd8a1f\r\nc4a6588e642dcc7d66c71c179417dc14a784600c709c69a8946158ce2daf1fae\r\n1eac1ee41016f4b515874f66a5c03b35fc07ad35073b58583861f0d08cd887dd\r\n04283696b53c5d37f9b960172ec57f214b3291f48315d1116bc8d1707c789111\r\n32dad1b131ecfa3e4efb8f9069fae46247bf0a4550163cad172cc9bb688c4fb0\r\ndd06173751257c9a8f24babbc1179e433f1bae5c2b841763b95c1c6890e5b983\r\n4b4584f2d7f1bedd225538ecf4086a06eb600c62cc5f6b0226e9c571cd1d2cc5\r\nEmdivi\r\na79cfba79489d45a928ef3794d361898a2da4e1af4b33786d1e0d2759f4924c3\r\nb19a233b07a1342f867aef1b3fb3e473b875bd788832bb9422cacb5df1bda04e\r\nPlugX\r\nda9090105d40c48b007526ad262de695f67ab7b18e4fe6274d55877821353366\r\ne7a60eec1f66ac089f13f9478dcf06b922bfe4b4f3a4fbbbf054e3202e58519a\r\nSection 4\r\n00000001.BIN\r\n3955d0340ff6e625821de294acef4bdc0cc7b49606a984517cd985d0aac130a3\r\na52c3792d8cef6019ce67203220dc191e207c6ddbdfa51ac385d9493ffe2a83a\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 29 of 31\n\n54f61561a7c5eed7a5eacf298c74ee761b2b398f1db333318140ef2cb672b740\r\na3145107e2d9b4899263b34e37786719f865efb54d97b6cac65ef1a2e3924838\r\n5c2599fdba24fef1a867552eed0f681ebfb07b47468fdf2a54a85b94fcd0d6f0\r\napp.js\r\nf36db81d384e3c821b496c8faf35a61446635f38a57d04bde0b3dfd19b674587\r\nf71a3a772f4316ab3c940f94aab3d52eabe7ee9da311b112a12eacfcadddb85e\r\ngetProxy.exe\r\nc6cf0ad6d1e687b185407ee450a5b8e9a8ab60461f5c051251badb245df6245f\r\nuninstaller.exe\r\nd1617e7ec278484920c05476eabf783d399d6c03e8d8ab69e2f1fcb6a76417b4\r\nC\u0026C servers\r\nSection 2\r\nngm.dnsdynamic.com\r\nmysql.b0ne.com\r\nservice.chatnook.com\r\ninter.so-webmail.com\r\n103.246.112.123\r\nSection 3\r\nEmdivi\r\nwww.dolf.org.hk\r\nPlugX\r\nsstday.Jkub.com\r\nwhellbuy.wschandler.com\r\nSection 4\r\nwww.rakutenline.com\r\nmenu.rakutenline.com\r\nwww.sa-guard.com\r\nmenu.sa-guard.com\r\nwww.han-game.com\r\nmenu.han-game.com\r\ndaydreamsig.com\r\nrsbuae.com\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 30 of 31\n\nAttacking IP addresses\r\nSection 4\r\n107.189.139.237\r\n180.150.227.72\r\n27.255.84.171\r\nBackdoor access IP addresses\r\nSection 4\r\n116.193.152.47\r\n1.226.83.34\r\n115.68.52.11\r\nFootnotes\r\n1 TSUBAME is a packet traffic monitoring system used to observe suspicious scanning activities.\r\n2 All files and folders are created under %APPDATA%\\Adobe\\flash\\[random 4-digit alphanumeric string]\\bin.\r\nSource: https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nhttps://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/" ], "report_names": [ "vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software" ], "threat_actors": [ { "id": "2150d1ac-edf0-46d4-a78a-a8899e45b2b5", "created_at": "2022-10-25T15:50:23.269339Z", "updated_at": "2026-04-10T02:00:05.402835Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "APT17", "Deputy Dog" ], "source_name": "MITRE:APT17", "tools": [ "BLACKCOFFEE" ], "source_id": "MITRE", "reports": null }, { "id": "ec14074c-8517-40e1-b4d7-3897f1254487", "created_at": "2023-01-06T13:46:38.300905Z", "updated_at": "2026-04-10T02:00:02.918468Z", "deleted_at": null, "main_name": "APT10", "aliases": [ "Red Apollo", "HOGFISH", "BRONZE RIVERSIDE", "G0045", "TA429", "Purple Typhoon", "STONE PANDA", "Menupass Team", "happyyongzi", "CVNX", "Cloud Hopper", "ATK41", "Granite Taurus", "POTASSIUM" ], "source_name": "MISPGALAXY:APT10", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c92de6de-9538-43e5-9190-9da092194884", "created_at": "2022-10-25T16:07:23.411024Z", "updated_at": "2026-04-10T02:00:04.587683Z", "deleted_at": null, "main_name": "Blue Termite", "aliases": [ "Blue Termite", "Cloudy Omega" ], "source_name": "ETDA:Blue Termite", "tools": [ "Emdivi", "Newsripper" ], "source_id": "ETDA", "reports": null }, { "id": "a3687241-9876-477b-aa13-a7c368ffda58", "created_at": "2022-10-25T16:07:24.496902Z", "updated_at": "2026-04-10T02:00:05.010744Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "ETDA:Hacking Team", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62", "created_at": "2023-01-06T13:46:39.018236Z", "updated_at": "2026-04-10T02:00:03.183123Z", "deleted_at": null, "main_name": "Hacking Team", "aliases": [], "source_name": "MISPGALAXY:Hacking Team", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5bbced13-72f7-40dc-8c41-dcce75bf885e", "created_at": "2022-10-25T15:50:23.695735Z", "updated_at": "2026-04-10T02:00:05.335976Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "Winnti Group" ], "source_name": "MITRE:Winnti Group", "tools": [ "PipeMon", "Winnti for Windows", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "bbefc37d-475c-4d4d-b80b-7a55f896de82", "created_at": "2022-10-25T15:50:23.571783Z", "updated_at": "2026-04-10T02:00:05.302196Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "BRONZE BUTLER", "REDBALDKNIGHT" ], "source_name": "MITRE:BRONZE BUTLER", "tools": [ "Mimikatz", "build_downer", "cmd", "ABK", "at", "BBK", "schtasks", "down_new", "Daserf", "ShadowPad", "Windows Credential Editor", "gsecdump" ], "source_id": "MITRE", "reports": null }, { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "efa7c047-b61c-4598-96d5-e00d01dec96b", "created_at": "2022-10-25T16:07:23.404442Z", "updated_at": "2026-04-10T02:00:04.584239Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Canary Typhoon", "Circuit Panda", "Earth Hundun", "G0098", "Manga Taurus", "Operation PLEAD", "Operation Shrouded Crossbow", "Operation Waterbear", "Palmerworm", "Radio Panda", "Red Djinn", "T-APT-03", "TEMP.Overboard" ], "source_name": "ETDA:BlackTech", "tools": [ "BIFROST", "BUSYICE", "BendyBear", "Bluether", "CAPGELD", "DRIGO", "Deuterbear", "Flagpro", "GOODTIMES", "Gh0stTimes", "IconDown", "KIVARS", "LOLBAS", "LOLBins", "Linopid", "Living off the Land", "TSCookie", "Waterbear", "XBOW", "elf.bifrose" ], "source_id": "ETDA", "reports": null }, { "id": "2646f776-792a-4498-967b-ec0d3498fdf1", "created_at": "2022-10-25T15:50:23.475784Z", "updated_at": "2026-04-10T02:00:05.269591Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "BlackTech", "Palmerworm" ], "source_name": "MITRE:BlackTech", "tools": [ "Kivars", "PsExec", "TSCookie", "Flagpro", "Waterbear" ], "source_id": "MITRE", "reports": null }, { "id": "48782737-377b-47b4-aff0-87424208a643", "created_at": "2023-01-06T13:46:38.569144Z", "updated_at": "2026-04-10T02:00:03.02685Z", "deleted_at": null, "main_name": "Blue Termite", "aliases": [ "Cloudy Omega", "Emdivi" ], "source_name": "MISPGALAXY:Blue Termite", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ba9fa308-a29a-4928-9c06-73aafec7624c", "created_at": "2024-05-01T02:03:07.981061Z", "updated_at": "2026-04-10T02:00:03.750803Z", "deleted_at": null, "main_name": "BRONZE RIVERSIDE", "aliases": [ "APT10 ", "CTG-5938 ", "CVNX ", "Hogfish ", "MenuPass ", "MirrorFace ", "POTASSIUM ", "Purple Typhoon ", "Red Apollo ", "Stone Panda " ], "source_name": "Secureworks:BRONZE RIVERSIDE", "tools": [ "ANEL", "AsyncRAT", "ChChes", "Cobalt Strike", "HiddenFace", "LODEINFO", "PlugX", "PoisonIvy", "QuasarRAT", "QuasarRAT Loader", "RedLeaves" ], "source_id": "Secureworks", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a7aefdda-98f1-4790-a32d-14cc99de2d60", "created_at": "2023-01-06T13:46:38.281844Z", "updated_at": "2026-04-10T02:00:02.909711Z", "deleted_at": null, "main_name": "APT17", "aliases": [ "BRONZE KEYSTONE", "G0025", "Group 72", "G0001", "HELIUM", "Heart Typhoon", "Group 8", "AURORA PANDA", "Hidden Lynx", "Tailgater Team" ], "source_name": "MISPGALAXY:APT17", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "75024aad-424b-449a-b286-352fe9226bcb", "created_at": "2023-01-06T13:46:38.962724Z", "updated_at": "2026-04-10T02:00:03.164536Z", "deleted_at": null, "main_name": "BlackTech", "aliases": [ "CIRCUIT PANDA", "Temp.Overboard", "Palmerworm", "G0098", "T-APT-03", "Manga Taurus", "Earth Hundun", "Mobwork", "HUAPI", "Red Djinn", "Canary Typhoon" ], "source_name": "MISPGALAXY:BlackTech", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "945a572f-ebe3-4e2f-a288-512fe751cfa8", "created_at": "2022-10-25T16:07:24.413971Z", "updated_at": "2026-04-10T02:00:04.97924Z", "deleted_at": null, "main_name": "Winnti Group", "aliases": [ "G0044", "Leopard Typhoon", "Wicked Panda", "Winnti Group" ], "source_name": "ETDA:Winnti Group", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "FunnySwitch", "RbDoor", "RibDoor", "RouterGod", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "3b93ef3c-2baf-429e-9ccc-fb80d0046c3b", "created_at": "2025-08-07T02:03:24.569066Z", "updated_at": "2026-04-10T02:00:03.730864Z", "deleted_at": null, "main_name": "BRONZE CANAL", "aliases": [ "BlackTech", "CTG-6177 ", "Circuit Panda ", "Earth Hundun", "Palmerworm ", "Red Djinn", "Shrouded Crossbow " ], "source_name": "Secureworks:BRONZE CANAL", "tools": [ "Bifrose", "DRIGO", "Deuterbear", "Flagpro", "Gh0stTimes", "KIVARS", "PLEAD", "Spiderpig", "Waterbear", "XBOW" ], "source_id": "Secureworks", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "ee39ecf0-d311-49e5-b0ae-3e3d71f71def", "created_at": "2025-08-07T02:03:24.626625Z", "updated_at": "2026-04-10T02:00:03.605175Z", "deleted_at": null, "main_name": "BRONZE KEYSTONE", "aliases": [ "APT17 ", "Aurora Panda ", "DeputyDog ", "Group 72 ", "Hidden Lynx ", "TG-8153 ", "Tailgater Team" ], "source_name": "Secureworks:BRONZE KEYSTONE", "tools": [ "9002", "BlackCoffee", "DeputyDog", "Derusbi", "Gh0stHTTPSDropper", "HiKit", "InternalCMD", "PlugX", "PoisonIvy", "ZxShell" ], "source_id": "Secureworks", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "ba3fff0c-3ba0-4855-9eeb-1af9ee18136a", "created_at": "2022-10-25T15:50:23.298889Z", "updated_at": "2026-04-10T02:00:05.316886Z", "deleted_at": null, "main_name": "menuPass", "aliases": [ "menuPass", "POTASSIUM", "Stone Panda", "APT10", "Red Apollo", "CVNX", "HOGFISH", "BRONZE RIVERSIDE" ], "source_name": "MITRE:menuPass", "tools": [ "certutil", "FYAnti", "UPPERCUT", "SNUGRIDE", "P8RAT", "RedLeaves", "SodaMaster", "pwdump", "Mimikatz", "PlugX", "PowerSploit", "ChChes", "cmd", "QuasarRAT", "AdFind", "Cobalt Strike", "PoisonIvy", "EvilGrab", "esentutl", "Impacket", "Ecipekac", "PsExec", "HUI Loader" ], "source_id": "MITRE", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null }, { "id": "86fd71d3-06dc-4b73-b038-cedea7b83bac", "created_at": "2022-10-25T16:07:23.330793Z", "updated_at": "2026-04-10T02:00:04.545236Z", "deleted_at": null, "main_name": "APT 17", "aliases": [ "APT 17", "ATK 2", "Beijing Group", "Bronze Keystone", "Deputy Dog", "Elderwood", "Elderwood Gang", "G0025", "G0066", "Operation Aurora", "Operation DeputyDog", "Operation Ephemeral Hydra", "Operation RAT Cook", "SIG22", "Sneaky Panda", "TEMP.Avengers", "TG-8153", "Tailgater Team" ], "source_name": "ETDA:APT 17", "tools": [ "9002 RAT", "AGENT.ABQMR", "AGENT.AQUP.DROPPER", "AGENT.BMZA", "AGENT.GUNZ", "Agent.dhwf", "AngryRebel", "BlackCoffee", "Briba", "Chymine", "Comfoo", "Comfoo RAT", "Darkmoon", "DeputyDog", "Destroy RAT", "DestroyRAT", "Farfli", "Fexel", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Gresim", "HOMEUNIX", "HiKit", "HidraQ", "Homux", "Hydraq", "Jumpall", "Kaba", "Korplug", "Linfo", "MCRAT.A", "McRAT", "MdmBot", "Mdmbot.E", "Moudour", "Mydoor", "Naid", "Nerex", "PCRat", "PNGRAT", "Pasam", "PlugX", "Poison Ivy", "RedDelta", "Roarur", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trojan.Naid", "Vasport", "Wiarp", "Xamtrav", "Zox", "ZoxPNG", "ZoxRPC", "gresim", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434736, "ts_updated_at": 1775826755, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/938a0ac8cbd4415ece8db4acf6fcba6217b1cfce.pdf", "text": "https://archive.orkl.eu/938a0ac8cbd4415ece8db4acf6fcba6217b1cfce.txt", "img": "https://archive.orkl.eu/938a0ac8cbd4415ece8db4acf6fcba6217b1cfce.jpg" } }