The APT Group Goblin Panda (aka, Conimes and China 1937CN Team) is an active threat to government and diplomatic organizations in the Asia-Pacific region, specifically in nations located along the South China Sea. This threat, which is thought to be aligned with the Chinese state and its espionage interests in the region, most commonly targets Vietnam, Malaysia, the Philippines, Indonesia, and India, utilizing historic exploits like CVE-2012-0158 delivered via phishing attachments.
This presentation seeks to demonstrate through the examination of metadata in Goblin Panda CVE-2012-0158 RTF phishing lures that a single phishing builder has been in continuous use by the group since 2010. Despite having undergone at least one major overhaul, the phishing builder creates unique RTF Tags within the phishing lures that analysts can leverage to correlate campaigns across diverse targets in different geographic regions. This presentation will demonstrate the geographic areas targeted by Goblin Panda, the varying nature of targeted victims (government, military, diplomatic, civil society/dissidents), and the evolution of the phishing builder from 2010 through 2018.
Michael Raggi (@aRtAGGI), Senior Cyber Intelligence Analyst, Anomali