Stone Panda  (Back to overview)

aka: APT10, APT 10, MenuPass, Menupass Team, menuPass, menuPass Team, happyyongzi, POTASSIUM, DustStorm, Red Apollo, CVNX, HOGFISH, Cloud Hopper


Associated Families
win.anel win.chches win.cobalt_strike win.derusbi win.dilljuice win.emdivi win.evilgrab win.ghost_rat win.poldat win.quasar_rat win.redleaves win.trochilus_rat win.poison_ivy win.plugx

References
1 http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html
1 http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant
2 http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html
1 http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html
1 http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html
1 http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html
1 http://blog.macnica.net/blog/2017/12/post-8c22.html
1 http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
1 http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/
1 http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/
1 http://blogs.360.cn/post/APT_C_01_en.html
1 http://cyberforensicator.com/2018/12/23/dissecting-cozy-bears-malicious-lnk-file/
1 http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf
1 http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
1 http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments
1 http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
1 http://www.hexblog.com/?p=1248
1 http://www.malware-traffic-analysis.net/2018/01/04/index.html
1 http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf
1 https://401trg.com/burning-umbrella/
1 https://asert.arbornetworks.com/uncovering-the-seven-pointed-dagger/
https://attack.mitre.org/groups/G0045/
1 https://blog.cobaltstrike.com/
1 https://blog.cylance.com/the-ghost-dragon
2 https://blog.ensilo.com/uncovering-new-activity-by-apt10
1 https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii
1 https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/
1 https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/
https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/
1 https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
1 https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
1 https://community.rsa.com/thread/185439
1 https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/
1 https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/
1 https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite
1 https://github.com/5loyd/trochilus/
1 https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf
1 https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
1 https://github.com/m0n0ph1/malware-1/tree/master/Trochilus
1 https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves
1 https://github.com/quasar/QuasarRAT/tree/master/Client
1 https://go.crowdstrike.com/rs/281-obq-266/images/reportglobalthreatintelligence.pdf
1 https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
1 https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/
1 https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A
1 https://pylos.co/2018/11/18/cozybear-in-from-the-cold/
1 https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/
1 https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/
1 https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/
1 https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/
1 https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
1 https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
1 https://securelist.com/new-activity-of-the-blue-termite-apt/71876/
1 https://securelist.com/time-of-death-connected-medicine/84315/
1 https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/
1 https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html
1 https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
1 https://twitter.com/malwrhunterteam/status/789153556255342596
1 https://twitter.com/struppigel/status/1130455143504318466
https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
1 https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf
https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf
2 https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf
1 https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
https://www.cfr.org/interactive/cyber-operations/apt-10
1 https://www.cobaltstrike.com/support
1 https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
1 https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf
1 https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret
https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018
1 https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
1 https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html
1 https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html
https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html
1 https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
1 https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
1 https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html
1 https://www.intezer.com/blog-chinaz-relations/
1 https://www.jpcert.or.jp/magazine/acreport-ChChes.html
1 https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html
1 https://www.jpcert.or.jp/magazine/acreport-redleaves.html
1 https://www.lac.co.jp/lacwatch/people/20171218_001445.html
1 https://www.lac.co.jp/lacwatch/people/20180521_001638.html
1 https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/
1 https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/
https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf
1 https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/
1 https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
1 https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
5 https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
1 https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
1 https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf
1 https://www.rsaconference.com/writable/presentations/file_upload/tta-r02-nation-state-hacktivist-attacks-targeted-hits-on-asian-organizations_copy1.pdf
1 https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
1 https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf
1 https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
1 https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
1 https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/
https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf
1 https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf
1 https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
1 https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/
1 https://youtu.be/DDA2uSxjVWY?t=344

Credits: MISP Project