Skip to content

G0005 APT12

APT12 is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.1

Item Value
ID G0005
Associated Names IXESHE, DynCalc, Numbered Panda, DNSCALC
Version 2.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
IXESHE 1 2
DynCalc 1 2
Numbered Panda 1
DNSCALC 2

Techniques Used

Domain ID Name Use
enterprise T1568 Dynamic Resolution -
enterprise T1568.003 DNS Calculation APT12 has used multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.1
enterprise T1203 Exploitation for Client Execution APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611).23
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT12 has sent emails with malicious Microsoft Office documents and PDFs attached.23
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File APT12 has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.23
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication APT12 has used blogs and WordPress for C2 infrastructure.1

Software

ID Name References Techniques
S0040 HTRAN 3 Process Injection Proxy Rootkit
S0015 Ixeshe 42 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System File and Directory Discovery Hidden Files and Directories:Hide Artifacts File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Process Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Service Discovery
S0003 RIPTIDE 2 Web Protocols:Application Layer Protocol Symmetric Cryptography:Encrypted Channel

References

  1. Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016. 

  2. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014. 

  3. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. 

  4. Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.