APT 2 is a cyber espionage group that has been active since 2010. The group is suspected to be sponsored by China, and its main targets are organizations in the aerospace, defense, energy, and government sectors.
APT 2’s goal is to steal intellectual property and sensitive data that can give China a competitive edge in these fields
What we know
The group uses spearphishing emails that exploit a vulnerability in Microsoft Office (CVE-2012-0158) to deliver a custom backdoor called MOOSE. MOOSE allows the attackers to execute commands, upload and download files, and access the victim’s webcam and microphone
The group also uses another backdoor called WARP, which is a modified version of the Poison Ivy malware. WARP can perform similar functions as MOOSE, as well as log keystrokes, capture screenshots, and steal passwords
The group often uses compromised legitimate websites or domains that resemble the target’s organization to host their malware or phishing pages. For example, they have used domains such as “us-embassy.org” and “usaid-gov.org” to target US government entities
The group is persistent and adaptable, and has been able to evade detection and attribution for a long time. They have also changed their tactics and infrastructure over time, such as using different encryption algorithms, command and control servers, and malware variants