SYMBOLCOMMON_NAMEaka. SYNONYMS

APT 16  (Back to overview)

aka: APT16, SVCMONDR

Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.


Associated Families
win.elmer win.ironhalo

References
2021-01-25CYBER GEEKS All Things InfosecCyberMasterV
@online{cybermasterv:20210125:detailed:c27540a, author = {CyberMasterV}, title = {{A detailed analysis of ELMER Backdoor used by APT16}}, date = {2021-01-25}, organization = {CYBER GEEKS All Things Infosec}, url = {https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/}, language = {English}, urldate = {2021-01-27} } A detailed analysis of ELMER Backdoor used by APT16
ELMER
2019-12-12FireEyeChi-en Shen, Oleg Bondarenko
@online{shen:20191212:cyber:e01baca, author = {Chi-en Shen and Oleg Bondarenko}, title = {{Cyber Threat Landscape in Japan – Revealing Threat in the Shadow}}, date = {2019-12-12}, organization = {FireEye}, url = {https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko}, language = {English}, urldate = {2020-04-16} } Cyber Threat Landscape in Japan – Revealing Threat in the Shadow
Cerberus TSCookie Cobalt Strike Dtrack Emotet Formbook IcedID Icefog IRONHALO Loki Password Stealer (PWS) PandaBanker PLEAD poisonplug TrickBot BlackTech
2019MITREMITRE ATT&CK
@online{attck:2019:tool:e80f843, author = {MITRE ATT&CK}, title = {{Tool description: ELMER}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/software/S0064}, language = {English}, urldate = {2019-12-20} } Tool description: ELMER
ELMER
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:16:9483ad1, author = {Cyber Operations Tracker}, title = {{APT 16}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/apt-16}, language = {English}, urldate = {2019-12-20} } APT 16
APT 16
2015-12-21SymantecKevin Savage
@online{savage:20151221:backdoorelmost:3dac66f, author = {Kevin Savage}, title = {{Backdoor.Elmost}}, date = {2015-12-21}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2015-122210-5724-99}, language = {English}, urldate = {2019-07-09} } Backdoor.Elmost
ELMER
2015-12-21FireEyeRyann Winters, FireEye Threat Intelligence
@online{winters:20151221:eps:808808c, author = {Ryann Winters and FireEye Threat Intelligence}, title = {{The EPS Awakens - Part 2}}, date = {2015-12-21}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html}, language = {English}, urldate = {2019-12-20} } The EPS Awakens - Part 2
ELMER IRONHALO EvilPost
2015-12-21SymantecKevin Savage
@online{savage:20151221:downloaderironhalo:028233f, author = {Kevin Savage}, title = {{Downloader.Ironhalo}}, date = {2015-12-21}, organization = {Symantec}, url = {https://www.symantec.com/security-center/writeup/2015-122210-5128-99}, language = {English}, urldate = {2019-11-27} } Downloader.Ironhalo
IRONHALO
2015-12-16FireEyeGenwei Jiang, Dan Caselden, Ryann Winters
@online{jiang:20151216:eps:3db357c, author = {Genwei Jiang and Dan Caselden and Ryann Winters}, title = {{The EPS Awakens}}, date = {2015-12-16}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html}, language = {English}, urldate = {2019-12-20} } The EPS Awakens
IRONHALO APT 16

Credits: MISP Project