APT16

APT16 is a Chinese-based threat group started in 2015 that is believed to be closely aligned with Chinese nation-state activity. APT16 is responsible for targeted spear phishing attacks upon Japanese and Taiwanese organizations within the government, financial services, media, and high technology industry sectors.

APT16 has been observed using a technique (Mitre Att&ck Enterprise T1584) during which they have compromised legitimate sites as staging servers for their second-stage payloads. They have also been observed using the ELMER backdoor.

These APT16 campaigns generally delivered malware-laden Microsoft Word documents that exploited the Windows CVE-2015-1701. CVE-2015-1701 describes how Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015. This exploit is called the “Win32k Elevation of Privilege Vulnerability.” Once this vulnerability is used, the threat actors could deliver a download for the ELMER backdoor or another downloader called IRONHALO.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.