APT19
Associated Group Descriptions |
|
Name | Description |
---|---|
Sunshop Group | (Citation: Dark Reading Codoso Feb 2015) |
Codoso Team | (Citation: FireEye APT Groups) |
Codoso | (Citation: Unit 42 C0d0so0 Jan 2016) |
C0d0so0 | (Citation: Unit 42 C0d0so0 Jan 2016) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.(Citation: FireEye APT19)(Citation: Unit 42 C0d0so0 Jan 2016) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
An APT19 HTTP malware variant establishes persistence by setting the Registry key |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT19 used PowerShell commands to execute payloads.(Citation: FireEye APT19) |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
An APT19 Port 22 malware variant registers itself as a service.(Citation: Unit 42 C0d0so0 Jan 2016) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.(Citation: Unit 42 C0d0so0 Jan 2016) |
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
APT19 used |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.(Citation: Unit 42 C0d0so0 Jan 2016) |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
APT19 used Base64 to obfuscate executed commands.(Citation: FireEye APT19) |
.013 | Obfuscated Files or Information: Encrypted/Encoded File |
APT19 used Base64 to obfuscate payloads.(Citation: FireEye APT19) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT19 has obtained and used publicly-available tools like Empire.(Citation: NCSC Joint Report Public Tools)(Citation: FireEye APT19) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.(Citation: FireEye APT19) |
Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
APT19 used Regsvr32 to bypass application control techniques.(Citation: FireEye APT19) |
.011 | System Binary Proxy Execution: Rundll32 |
APT19 configured its payload to inject into the rundll32.exe.(Citation: FireEye APT19) |
||
Enterprise | T1204 | .002 | User Execution: Malicious File |
APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.(Citation: FireEye APT19) |
References
- Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
- Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.
- FireEye. (n.d.). Advanced Persistent Threat Groups. Retrieved August 3, 2018.
- Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.