Chimera
Associated Group Descriptions |
|
Name | Description |
---|---|
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .001 | Account Discovery: Local Account |
Chimera has used |
.002 | Account Discovery: Domain Account |
Chimera has has used |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Chimera has used HTTPS for C2 communications.(Citation: NCC Group Chimera January 2021) |
.004 | Application Layer Protocol: DNS |
Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.(Citation: NCC Group Chimera January 2021) |
||
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021) |
Enterprise | T1110 | .003 | Brute Force: Password Spraying |
Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.(Citation: NCC Group Chimera January 2021) |
.004 | Brute Force: Credential Stuffing |
Chimera has used credential stuffing against victim's remote services to obtain valid accounts.(Citation: NCC Group Chimera January 2021) |
||
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.(Citation: NCC Group Chimera January 2021) |
||
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Chimera has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021) |
.002 | Data Staged: Remote Data Staging |
Chimera has staged stolen data on designated servers in the target environment.(Citation: NCC Group Chimera January 2021) |
||
Enterprise | T1213 | .002 | Data from Information Repositories: Sharepoint |
Chimera has collected documents from the victim's SharePoint.(Citation: NCC Group Chimera January 2021) |
Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Chimera has harvested data from victim's e-mail including through execution of |
.002 | Email Collection: Remote Email Collection |
Chimera has harvested data from remote mailboxes including through execution of |
||
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Chimera has exfiltrated stolen data to OneDrive accounts.(Citation: NCC Group Chimera January 2021) |
Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.(Citation: NCC Group Chimera January 2021) |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Chimera has used side loading to place malicious DLLs in memory.(Citation: NCC Group Chimera January 2021) |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Chimera has cleared event logs on compromised hosts.(Citation: NCC Group Chimera January 2021) |
.004 | Indicator Removal: File Deletion |
Chimera has performed file deletion to evade detection.(Citation: Cycraft Chimera April 2020) |
||
.006 | Indicator Removal: Timestomp |
Chimera has used a Windows version of the Linux |
||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.(Citation: Cycraft Chimera April 2020) |
Enterprise | T1556 | .001 | Modify Authentication Process: Domain Controller Authentication |
Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.(Citation: Cycraft Chimera April 2020) |
Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.(Citation: Cycraft Chimera April 2020) Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
Chimera has encoded PowerShell commands.(Citation: Cycraft Chimera April 2020) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021) |
Enterprise | T1069 | .001 | Permission Groups Discovery: Local Groups |
Chimera has used |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Chimera has used RDP to access targeted systems.(Citation: Cycraft Chimera April 2020) |
.002 | Remote Services: SMB/Windows Admin Shares |
Chimera has used Windows admin shares to move laterally.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021) |
||
.006 | Remote Services: Windows Remote Management |
Chimera has used WinRM for lateral movement.(Citation: NCC Group Chimera January 2021) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script |
Enterprise | T1569 | .002 | System Services: Service Execution |
Chimera has used PsExec to deploy beacons on compromised systems.(Citation: NCC Group Chimera January 2021) |
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Chimera has dumped password hashes for use in pass the hash authentication attacks.(Citation: NCC Group Chimera January 2021) |
Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
Chimera has used compromised domain accounts to gain access to the target environment.(Citation: NCC Group Chimera January 2021) |
References
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.