The April 2012 APT15(Mirage Team) campaign targeted a high profile oil company in the Philippines, a military organization in Taiwan, an energy company in Canada, and organizations in Brazil, Israel, Egypt, and Nigeria. The Mirage team attacks are attributed to the Chinese government or a state sponsored threat actor. The campaign was investigated while advanced persistent threat groups were still developing into their current structure; consequently, the campaign was not investigated to the same level of detail as modern threats. The most distinct commonality between victims was that all parties were involved in the contest for rights to survey natural gas and oil in the South China Sea. It is believed that the intent of the campaign was to exfiltrate confidential information, steal intellectual property, or to construct a botnet.
The actors began the campaign by targeting mid-level to senior-level executives with spear phishing emails that contain malicious droppers that install the Mirage malware. The droppers are disguised as PDF attachments. If opened, then the dropper is deployed and an embedded PDF of a news story, relevant to the target, opens. The dropper contains a copy of the Mirage malware, which executes and copies itself into either C:\ Documents or C:\ Windows. The copy starts and the original closes. The new Mirage establishes persistence in the event of reboot by creating registry keys. The malware obfuscates its presence through the creation of one or more files named svchost.exe, ernel32.dll, thumb.db, csrss.exe, Reader_SL.exe, and MSN.exe. The malware profiles the system (MAC address, CPU speed, memory size, system name, and user name) and sends the information back to the command and control infrastructure via a HTTP request over ports 80, 443, and 8080. It can implement SSL for added security. The first variant of Mirage communicated via a HTTP POST request and it transferred information that was lightly encrypted by adding each character’s ASCII value to its offset from the start of the payload. The second variant of the malware communicated through HTTP GET requests and it encrypted data the same way as the former version except that the payload of the initial request is encapsulated in a Base64-encoded string. The Mirage toolkit consisted of a backdoor and a remote access trojan (RAT). At the time of its discovery in 2012, the command and control structure consisted of over 100 domains. By the end of 2012, the Mirage team campaign went dormant. However, some of its infrastructure reappeared in the 2015 Hellsing campaign.