Other names the threat actor is known by * *
A high level summary of the threat actor
A type of Tactics, Techniques, and Procedures (TTP) that describes ways threat actors attempt to compromise targets.
A grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets.
An action taken to either prevent an attack or respond to an attack.
Individuals, organizations, or groups, as well as classes of individuals, organizations, or groups.
Contains a pattern that can be used to detect suspicious or malicious cyber activity.
A grouped set of adversarial behaviors and resources with common properties believed to be orchestrated by a single threat actor.
A type of TTP, also known as malicious code and malicious software, used to compromise the confidentiality, integrity, or availability of a victim’s data or system.
Conveys information observed on a system or network (e.g., an IP address).
Collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including contextual details.
Individuals, groups, or organizations believed to be operating with malicious intent.
Legitimate software that can be used by threat actors to perform attacks.
A mistake in software that can be directly used by a hacker to gain access to a system or network.
https://www.securityweek.com/goblin-panda-targets-vietnam-again September 05, 2018 First observed in 2013 and highly active in 2014, when a conflict over territory in the South China Sea was generating high tension, GOBLIN PANDA is known to focus on Vietnam. Also referred to as Cycldek, the actor has been primarily targeting entities in the defense, energy, and government sectors. Last month, the group was observed targeting Vietnam once again, as part of a campaign that employed exploit documents featuring Vietnamese-language lures and themes. The adversary-controlled infrastructure leveraged as part of the attacks was Vietnam-themed as well. The security researchers observed two exploit documents with Vietnamese-language file names that packed metadata unique to the GOBLIN PANDA adversary. When opened, the files display Microsoft Office Word documents with training-related themes as decoys.
“These documents did not specifically reference Vietnamese government projects or departments, however they could still be directed towards Government of Vietnam personnel,” CrowdStrike says. These documents attempt to exploit an old Office vulnerability, namely CVE-2012-0158. The exploit code would drop the side-loading malware implant tracked as QCRat onto the compromised machine. The documents, CrowdStrike discovered, use a “previously identified legitimate executable, and a side-loading implant Dynamic Link Library (DLL), as well as new implant configuration files stored as a .tlb file.” e analyzing the command and control infrastructure associated with the campaign, the security researchers discovered indicators that the threat actor might be targeting entities in Laos as well. However, no attacks have been observed and CrowdStrike says it cannot confirm targets in Laos for this campaign, although GOBLIN PANDA has targeted this country before.
August 29, 2018 https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/ CrowdStrike® first observed GOBLIN PANDA activity in September 2013 when indicators of its activity were discovered on the network of a technology company operating in multiple sectors. Malware variants primarily used by this actor include PlugX and HttpTunnel. This actor focuses a significant amount of its targeting activity on entities in Southeast Asia, particularly Vietnam. Heavy activity was observed in the late spring and early summer of 2014 when tensions between China and other Southeast Asian nations were high, due to conflict over territory in the South China Sea. GOBLIN PANDA targets have been primarily observed in the defense, energy, and government sectors.
Last month, CrowdStrike Intelligence observed renewed activity from GOBLIN PANDA targeting Vietnam. As part of this campaign, new exploit documents were identified with Vietnamese-language lures and themes, as well as Vietnam-themed, adversary-controlled infrastructure.
Two exploit documents with Vietnamese-language file names were observed with file metadata unique to the GOBLIN PANDA adversary. Decoy content displayed in these incidents used Vietnamese-language Microsoft Office Word documents with training-related themes. These documents did not specifically reference Vietnamese government projects or departments, however they could still be directed towards Government of Vietnam personnel.
When opened, both documents use CVE-2012-0158 exploit code to drop malicious files associated with a previously identified side-loading malware implant, tracked as QCRat by CrowdStrike Falcon® Intelligence™.
Both exploit documents used a previously identified legitimate executable, and a side-loading implant Dynamic Link Library (DLL), as well as new implant configuration files stored as a .tlb file.
Analysis of command and control infrastructure suggests that GOBLIN PANDA is targeting entities in Laos, as well. CrowdStrike Intelligence has not directly observed Laotian targeting, and cannot confirm targets in Laos for this campaign, however, previous activity linked to GOBLIN PANDA has targeted this country.
Articles that are yet to be read
https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportGlobalThreatIntelligence.pdf
https://securelist.com/cycldek-bridging-the-air-gap/97157/
https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view
https://blog.threatstop.com/apt27-enters-ransomware-business
https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/
https://www.securityweek.com/17-malware-frameworks-target-air-gapped-systems-espionage