By FortiGuard SE Team | November 01, 2018 Adversary Playbook: The FortiGuard SE Team is releasing this new playbook on the threat actor group known as Goblin Panda as part of its role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper.
Active since 2014, Goblin Panda is a threat actor that is focused on interests in Southeast Asia. Goblin Panda has been documented by various organizations, including Fortinet, over the past several years. Due to non-standardized naming conventions within the industry, Goblin Panda is also known as APT 27, Hellsing, Cycledek, and perhaps 1937CN. Goblin Panda is primarily active in South and Southeast Asia, with activity seen primarily in Cambodia, Indonesia, Philippines, Myanmar, Malaysia, Thailand, and Vietnam. India has also been targeted in the past, albeit in limited numbers.
Not much has been documented on this group for various reasons. This is primarily due the fact that its tactics, techniques, and procedures have evolved over the years, and also because rather than engaging in the sort of broad-brush attacks most cybercriminal gangs engage in, their targets and campaigns have been quite specific in nature. We hope that the information contained within our playbook is informative for responders who encounter one of their attacks, or for anyone interested in Goblin Panda.
Overview
Favorite methodologies of Goblin Panda include the use of remote access Trojans, including the infamous PlugX/Korplug, NewCore, and Sisfader RAT tools. Distribution of infected samples are often used by attackers such as Goblin Panda through weaponized Microsoft Office documents containing malicious macros, or by exploiting known vulnerabilities—most recently CVE-2012-0158 and CVE-2017-11882. Even though CVE-2012-0158 is over five years old, attackers are quite aware that many organizations, especially up and coming organizations in developing areas of the world, do not follow a regular patching schedule for various reasons, such as lack of resources or awareness, and therefore remain vulnerable to know exploits for long periods of time.
Full Article.
CTA Adversary Playbook: Goblin Panda
+54Be the first to reply!
Reply
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.