Type: Likely Nation-State (based on targets)

APT16 Status: Believed Active

APT16 Other Names: OpTaiwan

Active Since/Discovered: June 2015

Last Report: January 1, 2016

Targets: Japanese organizations and Taiwanese Media and Entertainment

Target Sectors: financial services, high-tech, media, and government

Malware:

• ELMER Backdoor (Backdoor.APT.Suroot)
  • Non-persistent proxy-aware HTTP backdoor written in Delphi
  • Capable of performing file uploads and downloads, file execution, and process and directory listings
  • Sends HTTP GET requests to a hard-coded CnC server to receive commands
    • Parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed

• IRONHALO (Trojan.IRONHALO)
  • Downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path
  • Persists by copying itself to the current user’s Startup folder
  • Encoded payload is written to a temporary file, decoded and executed in a hidden window
• DOORJAMB

Preferred Attack Vector:  Spear phishing attack and Exploits

TTP:

• Malicious Microsoft Word document exploiting EPS (Encapsulated PostScript) embedded image file in Office (CVE-2015-2545 and CVE-2015-2546) document designed to bypass memory protections on Windows systems to abuse “dict and copy operators”
• The attacker gains access to memory by forging a string via EPS
• Used Windows local privilege escalation vulnerability CVE-2015-1701 to obtain SYSTEM level access to compromised machines
• Afterward, exploit shellcode deployed either the IRONHALO downloader or the ELMER backdoor

Unique:

• Attacks against Taiwan corresponded with their January 16, 2016 elections

• attacks may have been attempt to gain intel on politicians, anticipate election outcome, etc