Sunshine Group APT
Your consent is required to display this content from youtube - Privacy Settings
Type: Cyber-criminal
Status: Inactive, though subgroups may be active
Sunshine group APT Other Names: Sunshop Group
Active Since/Discovered: Discovered July 2011
Target Sectors: Aerospace/Defense/Airlines, Applied research and development, Chemicals/Manufacturing/Mining, Higher education, Entertainment/Media/Hospitality, Energy/Utilities/Petroleum refining, Financial services, Federal government, State and local government, Healthcare/Pharmaceuticals, High-tech, Insurance, Legal services, Services/Consulting/VAR, Telecommunications
Malware:
-
- Shared Malware builder
- Trojan.APT.9002, Trojan.APT.PoisonIvy, Trojan.APT.Gh0st, Trojan.APT.Kaba, and Trojan.APT.Briba.
Preferred Attack Vector: Watering-hole
TTP:
- Shares infrastructure with ten sub-groups
- Described as “digital quartermaster” to the 10-11 APTs
- All associated campaigns utilize a common development infrastructure characterized by shared:
- Portable executable resources
- Digital certificates
- Compile Times
- C2 Infrastructure
- All associated campaigns utilize a common development infrastructure characterized by shared:
- 64 of 110 binaries were packaged with two unique manifest resources, and 47 were signed with six different digital certificates.
- The binaries connected to 54 unique fully qualified domains
Unique:
- One of the first and largest Malware-as-a-Service groups
- Possible cyber arms dealer, supplying the operators responsible for conducting attacks and establishing footholds within targeted organizations.