Update: May 19, 2018
APT 1 resources
Threat Actor aliases:
Comment Crew, Comment Panda, PLA Unit 61398, TG-8223, APT 1, BrownFox,Group 3,GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor
http://apt.threattracking.com
These are the samples described in the Mandiant Report APT1, in the Indicators of Compromise (IOCs). Each file is named according to the malware family, so you can run your own detection and signature tools to see how your naming convention corresponds to the one used by Mandiant.
You can use these binaries to develop signatures, compare to your samples, or study the behavior and evolution of APT1.
I added Contagio samples in several families as well.
The list of binaries and their names, as well as malware families descriptions are provided below for your convenience.
APT 1 resources
Threat Actor aliases:
Comment Crew, Comment Panda, PLA Unit 61398, TG-8223, APT 1, BrownFox,Group 3,GIF89a, ShadyRAT, Shanghai Group, Byzantine Candor
http://apt.threattracking.com
- 2010_11_Fireeye_VinSelf - A new backdoor in town! « VinSelf - A new backdoor in town! _ FireEye Inc.pdf
- 2010_12_Guardian_WikiLeaks cables reveal fears over Chinese cyber warfare _ US news _ The Guardian.pdf
- 2011_08_Ira Winkler_ Shady Rat Case Shows Vendors As Big a Problem As APT Itself _ CIO.pdf
- 2011_08_Kaspersky's Thoughts on Operation Shady Rat _ Nota Bene_ Eugene Kaspersky's Official Blog.pdf
- 2011_10_SANS_detailed-analysis-advanced-persistent-threat-malware-33814.pdf
- 2011_Mcafee-operation-shady-rat1.pdf
- 2012_06_Bloomberg_Hackers Linked to China’s Army Seen From EU to D.C. - Bloomberg.pdf
- 2013_02_NYTimes_China’s Army Is Seen as Tied to Hacking Against U.S.pdf
- 2013_03_Fireeye_TABMSGSQL and 44 WEBC2-YAHOO_The Dingo and the Baby « The Dingo and the Baby _ FireEye Inc.pdf
- 2013_05_Fireeye_APT1 Three Months Later.pdf
- 2013_05_Mandiant-APT1_Exposing One of China’s Cyber Espionage Units.pdf
- 2014_05_Fireeye_The PLA and the 8_00am-5_00pm Work Day_ FireEye Confirms DOJ's Findings on APT1 Intrusion Activity « The PLA and the 8_00am-5_00pm Work Day_ FireEye Confirms DOJ's Findings on APT1 Intrusion Activity _ FireEye Inc.pdf
- 2014_06_Crowdstrike_Hat-tribution to PLA Unit 61486 ».pdf
- 2014_12_Vinself now with steganography - Airbus CyberSecurity.pdf
- 2016_BANGAT_malware-signatures_bangat.yara at master · citizenlab_malware-signatures.pdf
- GIF89a_Vinselfdecoder_malwaretracker.com_ Command and Control Decoder - Vinself Trojan.pdf
- PLA Unit 61398 _ Council on Foreign Relations Interactives.pdf
These are the samples described in the Mandiant Report APT1, in the Indicators of Compromise (IOCs). Each file is named according to the malware family, so you can run your own detection and signature tools to see how your naming convention corresponds to the one used by Mandiant.You can use these binaries to develop signatures, compare to your samples, or study the behavior and evolution of APT1.
I added Contagio samples in several families as well.
The list of binaries and their names, as well as malware families descriptions are provided below for your convenience.
.PNG)
.PNG)
.png)
.PNG)
.PNG)
.PNG)
.PNG)
.PNG)
