NanHaiShu
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
NanHaiShu uses DNS for the C2 communications.(Citation: fsecure NanHaiShu July 2016) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.(Citation: fsecure NanHaiShu July 2016) |
Enterprise | T1059 | .005 | Command and Scripting Interpreter: Visual Basic |
NanHaiShu executes additional VBScript code on the victim's machine.(Citation: fsecure NanHaiShu July 2016) |
.007 | Command and Scripting Interpreter: JavaScript |
NanHaiShu executes additional Jscript code on the victim's machine.(Citation: fsecure NanHaiShu July 2016) |
||
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.(Citation: Proofpoint Leviathan Oct 2017) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
NanHaiShu launches a script to delete their original decoy file to cover tracks.(Citation: fsecure NanHaiShu July 2016) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
NanHaiShu encodes files in Base64.(Citation: fsecure NanHaiShu July 2016) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
NanHaiShu uses mshta.exe to load its program and files.(Citation: fsecure NanHaiShu July 2016) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0065 | Leviathan |
(Citation: Proofpoint Leviathan Oct 2017) (Citation: CISA AA21-200A APT40 July 2021) |
References
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.