Also known as: Codoso Team
Suspected attribution: China
Target sectors: Legal and investment
Overview: A group likely composed of freelancers, with some degree of sponsorship by the Chinese government.
Associated malware: BEACON, COBALTSTRIKE
Attack vectors: In 2017, APT19 used three different techniques to attempt to compromise targets. In early May, the phishing lures leveraged RTF attachments that exploited the Microsoft Windows vulnerability described in CVE 2017-0199. Toward the end of May, APT19 switched to using macro-enabled Microsoft Excel (XLSM) documents. In the most recent versions, APT19 added an application whitelisting bypass to the XLSM documents. At least one observed phishing lure delivered a Cobalt Strike payload.
