Sciextor

APT 31

APT 31 is a cyber espionage group that is believed to operate on behalf of the Chinese government and state-owned enterprises

The group has been active since at least 2017, and has targeted organizations and individuals in various sectors and regions, such as aerospace, defense, government, media, technology, and international affairs

History

• In 2020, the group attempted to compromise the email accounts of people associated with the US presidential election, as well as prominent leaders in the international affairs community
• In 2019, the group was linked to a software supply chain attack that leveraged a legitimate tax software to deliver a backdoor to organizations in Hong Kong
• In 2018, the group was involved in a campaign that used spear-phishing emails, web beacons, and scheduled tasks to harvest credentials from upstream providers, such as law firms and managed service providers
• In 2017, the group exploited a zero-day vulnerability (CVE-2017-0005) in Windows to gain local privilege escalation and execute malicious code on compromised hosts

Attack types

SOGU, LUCKYBIRD, SLOWGYRO, and DUCKFAT: These are Python-based implants that can perform various functions, such as file transfer, command execution, credential theft, and data exfiltration

PlugX: This is a remote access trojan (RAT) that can perform various malicious activities, such as file manipulation, process injection, keylogging, and screen capture

TONESHELL: This is a custom shellcode loader that can execute encrypted payloads in memory

C4: This is a tool that can open a Windows Command Shell on a remote host

Aliases

• Judgment Panda
• Zirconium
• RedBravo
• Red Keres