APT19

APT19 is a threat actor group located in mainland China. MITRE ATT&CK data indicates that APT19 and Deep Panda are likely the same organization, but it is unclear from open-source intelligence (OSINT) if this is accurate. APT10 also may be the same organization or have close cooperation with other threat groups, including DEEP PANDA, Codoso, WebMasters, KungFu Kittens, Black Vine, TEMP.Avengers, Group 13, PinkPanther, Shell Crew, BRONZE FIRESTONE, G0009, G0073, Pupa, and Sunshop Group. The links between some of these groups and APT19 are sometimes tenuous. Still, any clues as to cooperation, and sharing tactics, techniques, and procedures (TTPs), can provide invaluable information to defenders discovering one APT10’s incidents of compromise within their infrastructure.

APT19 has been actively targeting many industries, including agriculture, energy, healthcare, finance, military, defense and defense contractors, telecommunications, high technology, education, manufacturing, and aerospace. A few years back, in 2017, APT19 was discovered running a phishing email campaign targeting law and investment firms.

APT19 has also executed “watering hole attacks” using legitimate websites to compromise the targeted victims. Watering hole attacks take a survey about the most frequented and likely websites of your targeted victims and then infect them with malicious code so that some victims of the targeted group will become infected and compromised. APT19 has also used droppers that appear to be the valid installers associated with Juniper’s VPN, Microsoft ActiveX controls, and in some cases, Adobe Reader.

Per the threat researcher organization FireEye, APT19 has been observed using several specific techniques to compromise its targets. APT19 included phishing emails with RTF document attachments in one case. These RTF documents took advantage of the Microsoft Windows vulnerability (CVE 2017-0199). Over a different period, APT19 was observed using a malicious macro-embedded Microsoft Excel document. APT19 appears to bypass application whitelisting using these Microsoft Excel documents. In another case, the phishing lures were delivered using a Cobalt Strike payload. As most of us recall, Beacon is the name for one of Cobalt Strike’s primary malware payloads. Beacon is used to create a connection to the team server.

Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.