APT3
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]
In 2017, MITRE developed an APT3 Adversary Emulation Plan.[5]
Associated Group Descriptions
| Name | Description |
|---|---|
| Gothic Panda | |
| Pirpi | |
| UPS Team | |
| Buckeye | |
| Threat Group-0110 | |
| TG-0110 |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.[4] |
| Enterprise | T1098 | Account Manipulation |
APT3 has been known to add created accounts to local admin groups to maintain elevated access.[7] |
|
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT3 has used tools to compress data before exfilling it.[7] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT3 places scripts in the startup folder for persistence.[3] |
| Enterprise | T1110 | .002 | Brute Force: Password Cracking |
APT3 has been known to brute force password hashes to be able to leverage plain text credentials.[5] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT3 has used PowerShell on victim systems to download and run payloads after exploitation.[3] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
An APT3 downloader uses the Windows command |
||
| Enterprise | T1136 | .001 | Create Account: Local Account |
APT3 has been known to create or enable accounts, such as |
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
APT3 has a tool that creates a new service for persistence.[3] |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers | |
| Enterprise | T1005 | Data from Local System |
APT3 will identify Microsoft Office documents on the victim's computer.[7] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
APT3 has been known to stage files for exfiltration in a single location.[7] |
| Enterprise | T1546 | .008 | Event Triggered Execution: Accessibility Features |
APT3 replaces the Sticky Keys binary |
| Enterprise | T1041 | Exfiltration Over C2 Channel |
APT3 has a tool that exfiltrates data over the C2 channel.[8] |
|
| Enterprise | T1203 | Exploitation for Client Execution |
APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776.[1][8] |
|
| Enterprise | T1083 | File and Directory Discovery |
APT3 has a tool that looks for files and directories on the local file system.[8][9] |
|
| Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
APT3 has been known to use |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[8][10] |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | |
| Enterprise | T1105 | Ingress Tool Transfer | ||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
APT3 has used a keylogging tool that records keystrokes in encrypted files.[4] |
| Enterprise | T1104 | Multi-Stage Channels |
An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.[3] |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
An APT3 downloader establishes SOCKS5 connections for its initial C2.[3] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
APT3 obfuscates files or information to help evade defensive measures.[4] |
|
| .002 | Software Packing | |||
| .005 | Indicator Removal from Tools |
APT3 has been known to remove indicators of compromise from tools.[5] |
||
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."[4] |
| Enterprise | T1069 | Permission Groups Discovery |
APT3 has a tool that can enumerate the permissions associated with Windows groups.[4] |
|
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
APT3 has sent spearphishing emails containing malicious links.[1] |
| Enterprise | T1057 | Process Discovery |
APT3 has a tool that can list out currently running processes.[8][9] |
|
| Enterprise | T1090 | .002 | Proxy: External Proxy |
An APT3 downloader establishes SOCKS5 connections for its initial C2.[3] |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
APT3 enables the Remote Desktop Protocol for persistence.[7] APT3 has also interacted with compromised systems to browse and copy files through RDP sessions.[11] |
| .002 | Remote Services: SMB/Windows Admin Shares |
APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.[4] |
||
| Enterprise | T1018 | Remote System Discovery |
APT3 has a tool that can detect the existence of remote systems.[4][8] |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
An APT3 downloader creates persistence by creating the following scheduled task: |
| Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 | |
| Enterprise | T1082 | System Information Discovery |
APT3 has a tool that can obtain information about the local system.[4][9] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.[4][9] |
|
| Enterprise | T1049 | System Network Connections Discovery |
APT3 has a tool that can enumerate current network connections.[4][8][9] |
|
| Enterprise | T1033 | System Owner/User Discovery |
An APT3 downloader uses the Windows command |
|
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[4] |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT3 has lured victims into clicking malicious links delivered through spearphishing.[1] |
| Enterprise | T1078 | .002 | Valid Accounts: Domain Accounts |
APT3 leverages valid accounts after gaining credentials for use within the victim domain.[4] |
Software
References
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved June 18, 2017.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
- Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016.
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
- Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
- Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
- Glyer, C. (2018, April 14). @cglyer Status Update. Retrieved October 11, 2018.