APT3
Associated Group Descriptions |
|
| Name | Description |
|---|---|
| Gothic Panda | (Citation: PWC Pirpi Scanbox) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye) |
| Pirpi | (Citation: PWC Pirpi Scanbox) |
| UPS Team | (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye) |
| Buckeye | (Citation: Symantec Buckeye) |
| Threat Group-0110 | (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye) |
| TG-0110 | (Citation: Recorded Future APT3 May 2017) (Citation: Symantec Buckeye) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.(Citation: Symantec Buckeye) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT3 has used tools to compress data before exfilling it.(Citation: aptsim) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT3 places scripts in the startup folder for persistence.(Citation: FireEye Operation Double Tap) |
| Enterprise | T1110 | .002 | Brute Force: Password Cracking |
APT3 has been known to brute force password hashes to be able to leverage plain text credentials.(Citation: APT3 Adversary Emulation Plan) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT3 has used PowerShell on victim systems to download and run payloads after exploitation.(Citation: FireEye Operation Double Tap) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
An APT3 downloader uses the Windows command |
||
| Enterprise | T1136 | .001 | Create Account: Local Account |
APT3 has been known to create or enable accounts, such as |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
APT3 has a tool that creates a new service for persistence.(Citation: FireEye Operation Double Tap) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
APT3 has used tools to dump passwords from browsers.(Citation: Symantec Buckeye) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT3 has been known to stage files for exfiltration in a single location.(Citation: aptsim) |
| Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
APT3 replaces the Sticky Keys binary |
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
APT3 has been known to use |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.(Citation: FireEye Clandestine Fox)(Citation: FireEye Clandestine Fox Part 2) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
APT3 has a tool that can delete files.(Citation: FireEye Clandestine Fox) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT3 has used a keylogging tool that records keystrokes in encrypted files.(Citation: Symantec Buckeye) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."(Citation: Symantec Buckeye) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
APT3 has been known to pack their tools.(Citation: APT3 Adversary Emulation Plan)(Citation: FireEye Clandestine Wolf) |
| .005 | Obfuscated Files or Information: Indicator Removal from Tools |
APT3 has been known to remove indicators of compromise from tools.(Citation: APT3 Adversary Emulation Plan) |
||
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
APT3 has sent spearphishing emails containing malicious links.(Citation: FireEye Clandestine Wolf) |
| Enterprise | T1090 | .002 | Proxy: External Proxy |
An APT3 downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
APT3 enables the Remote Desktop Protocol for persistence.(Citation: aptsim) APT3 has also interacted with compromised systems to browse and copy files through RDP sessions.(Citation: Twitter Cglyer Status Update APT3 eml) |
| .002 | Remote Services: SMB/Windows Admin Shares |
APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.(Citation: Symantec Buckeye) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
An APT3 downloader creates persistence by creating the following scheduled task: |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
APT3 has a tool that can run DLLs.(Citation: FireEye Clandestine Fox) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.(Citation: Symantec Buckeye) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT3 has lured victims into clicking malicious links delivered through spearphishing.(Citation: FireEye Clandestine Wolf) |
| Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
APT3 leverages valid accounts after gaining credentials for use within the victim domain.(Citation: Symantec Buckeye) |
References
- Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
- Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
- Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved June 18, 2017.
- Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.