Velvet Ant
Associated Group Descriptions |
|
Name | Description |
---|---|
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1037 | .004 | Boot or Logon Initialization Scripts: RC Scripts |
Velvet Ant used a modified `/etc/rc.local` file on compromised F5 BIG-IP devices to maintain persistence.(Citation: Sygnia VelvetAnt 2024A) |
Enterprise | T1059 | .004 | Command and Scripting Interpreter: Unix Shell |
Velvet Ant used a custom tool, VELVETSTING, to parse encoded inbound commands to compromised F5 BIG-IP devices and then execute them via the Unix shell.(Citation: Sygnia VelvetAnt 2024A) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Velvet Ant has used a reverse SSH shell to securely communicate with victim devices.(Citation: Sygnia VelvetAnt 2024A) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
Velvet Ant has used malicious DLLs executed via legitimate EXE files through DLL search order hijacking to launch follow-on payloads such as PlugX.(Citation: Sygnia VelvetAnt 2024A) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Velvet Ant attempted to disable local security tools and endpoint detection and response (EDR) software during operations.(Citation: Sygnia VelvetAnt 2024A) |
.004 | Impair Defenses: Disable or Modify System Firewall |
Velvet Ant modified system firewall settings during PlugX installation using `netsh.exe` to open a listening, random high number port on victim devices.(Citation: Sygnia VelvetAnt 2024A) |
||
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Resource Name or Location |
Velvet Ant used a malicious DLL, `iviewers.dll`, that mimics the legitimate "OLE/COM Object Viewer" within Windows.(Citation: Sygnia VelvetAnt 2024A) |
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Velvet Ant has tunneled traffic from victims through an internal, compromised host to proxy communications to command and control nodes.(Citation: Sygnia VelvetAnt 2024A) |
Enterprise | T1021 | .002 | Remote Services: SMB/Windows Admin Shares |
Velvet Ant has transferred tools within victim environments using SMB.(Citation: Sygnia VelvetAnt 2024A) |
Enterprise | T1569 | .002 | System Services: Service Execution |
Velvet Ant executed and installed PlugX as a Windows service.(Citation: Sygnia VelvetAnt 2024A) |
Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
Velvet Ant accessed vulnerable Cisco switch devices using accounts with administrator privileges.(Citation: Sygnia VelvetAnt 2024B) |
References
- Sygnia Team. (2024, July 1). China-Nexus Threat Group ‘Velvet Ant’ Exploits Cisco Zero-Day (CVE-2024-20399) to Compromise Nexus Switch Devices – Advisory for Mitigation and Response. Retrieved March 14, 2025.
- Sygnia Team. (2024, June 3). China-Nexus Threat Group ‘Velvet Ant’ Abuses F5 Load Balancers for Persistence. Retrieved March 14, 2025.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.