Also known as: UPS Team
Suspected attribution: China
Target sectors: Aerospace and Defense, Construction and Engineering, High Tech, Telecommunications, Transportation
Overview: The China-based threat group FireEye tracks as APT3 is one of the more sophisticated threat groups that FireEye Threat Intelligence tracks, and they have a history of using browser-based exploits as zero-days (e.g., Internet Explorer, Firefox, and Adobe Flash Player). After successfully exploiting a target host, this group will quickly dump credentials, move laterally to additional hosts, and install custom backdoors. APT3’s command and control (CnC) infrastructure is difficult to track, as there is little overlap across campaigns.
Associated malware: SHOTPUT, COOKIECUTTER, SOGU
Attack vectors: The phishing emails used by APT3 are usually generic in nature, almost appearing to be spam. Attacks have exploited an unpatched vulnerability in the way Adobe Flash Player parses Flash Video (FLV) files. The exploit uses common vector corruption techniques to bypass Address Space Layout Randomization (ASLR), and uses Return-Oriented Programming (ROP) to bypass Data Execution Prevention (DEP). A neat trick to their ROP technique makes it simpler to exploit and will evade some ROP detection techniques. Shellcode is stored in the packed Adobe Flash Player exploit file alongside a key used for its decryption. The payload is xor encoded and hidden inside an image.
Additional resources
- Blog – Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak
- Blog – New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks
- Blog – Operation Double-Tap
- Blog – Operation Clandestine Wolf: Adobe Flash Zero-Day in APT3 Phishing Campaign
