APT18

APT18, also known as Wekby, is a threat actor suspected to be attributed to China. This group has targeted multiple sectors including Aerospace and Defense, Construction and Engineering, Education, Health and Biotechnology, High Tech, Telecommunications, and Transportation. Despite the significant impact of their activities, very little public information is available about this group. The group has been observed using spear-phishing emails with generic content, suggesting these were crafted for use against multiple targets. One example involved an email masquerading as a Flash update which, once clicked, would download a malicious Adobe Flash (.swf) file onto the victim's system. The APT18 campaign has successfully targeted at least 13 organizations across various industries. Their method involves the use of phishing emails to deliver malware, specifically a GH0ST RAT variant, to victims' systems. Once exploited, the infected system calls out to a previously known APT18 Command and Control (CnC) address. It's important to note that APT18 has frequently developed or adapted zero-day exploits for operations, likely planned in advance, and relied on procured infrastructure for their campaigns. Comparisons between APT18 and another threat actor, APT3, suggest that these groups operate independently. While both are believed to be Chinese Advanced Persistent Threat (APT) groups, their tactics differ. APT3 uses customized phishing emails containing the names of targeted organizations and compromised infrastructure, whereas APT18's approach is more generic and relies on procured infrastructure. FireEye detected independent phishing campaigns conducted by both APT3 and APT18, reinforcing the belief that they are not working together.