Skip to content

C0014 Operation Wocao

Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.1

Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.1

Item Value
ID C0014
Associated Names
First Seen December 2017
Last Seen December 2019
Version 1.1
Created 27 September 2022
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account During Operation Wocao, threat actors used the net command to retrieve information about domain accounts.1
enterprise T1583 Acquire Infrastructure -
enterprise T1583.004 Server For Operation Wocao, the threat actors purchased servers with Bitcoin to use during the operation.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols During Operation Wocao, threat actors’ XServer tool communicated using HTTP and HTTPS.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration.1
enterprise T1119 Automated Collection During Operation Wocao, threat actors used a script to collect information about the infected system.1
enterprise T1115 Clipboard Data During Operation Wocao, threat actors collected clipboard data in plaintext.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell During Operation Wocao, threat actors used PowerShell on compromised systems.1
enterprise T1059.003 Windows Command Shell During Operation Wocao, threat actors spawned a new cmd.exe process to execute commands.1
enterprise T1059.005 Visual Basic During Operation Wocao, threat actors used VBScript to conduct reconnaissance on targeted systems.1
enterprise T1059.006 Python During Operation Wocao, threat actors’ backdoors were written in Python and compiled with py2exe.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers During Operation Wocao, threat actors accessed and collected credentials from password managers.1
enterprise T1005 Data from Local System During Operation Wocao, threat actors exfiltrated files and directories of interest from the targeted system.1
enterprise T1001 Data Obfuscation During Operation Wocao, threat actors encrypted IP addresses used for “Agent” proxy hops with RC4.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration.1
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware During Operation Wocao, threat actors developed their own custom webshells to upload to compromised servers.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography During Operation Wocao, threat actors’ proxy implementation “Agent” upgraded the socket in use to a TLS socket.1
enterprise T1585 Establish Accounts -
enterprise T1585.002 Email Accounts For Operation Wocao, the threat actors registered email accounts to use during the campaign.1
enterprise T1041 Exfiltration Over C2 Channel During Operation Wocao, threat actors used the XServer backdoor to exfiltrate data.1
enterprise T1190 Exploit Public-Facing Application During Operation Wocao, threat actors gained initial access by exploiting vulnerabilities in JBoss webservers.1
enterprise T1133 External Remote Services During Operation Wocao, threat actors used stolen credentials to connect to the victim’s network via VPN.1
enterprise T1083 File and Directory Discovery During Operation Wocao, threat actors gathered a recursive directory listing to find files and directories of interest.1
enterprise T1589 Gather Victim Identity Information During Operation Wocao, threat actors targeted people based on their organizational roles and privileges.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall.1
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs During Operation Wocao, the threat actors deleted all Windows system and security event logs using /Q /c wevtutil cl system and /Q /c wevtutil cl security.1
enterprise T1070.004 File Deletion During Operation Wocao, the threat actors consistently removed traces of their activity by first overwriting a file using /c cd /d c:\windows\temp\ & copy \\<IP ADDRESS>\c$\windows\system32\devmgr.dll \\<IP ADDRESS>\c$\windows\temp\LMAKSW.ps1 /y and then deleting the overwritten file using /c cd /d c:\windows\temp\ & del \\<IP ADDRESS>\c$\windows\temp\LMAKSW.ps1.1
enterprise T1105 Ingress Tool Transfer During Operation Wocao, threat actors downloaded additional files to the infected system.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging During Operation Wocao, threat actors obtained the password for the victim’s password manager via a custom keylogger.1
enterprise T1570 Lateral Tool Transfer During Operation Wocao, threat actors used SMB to copy files to and from target systems.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs.1
enterprise T1112 Modify Registry During Operation Wocao, the threat actors enabled Wdigest by changing the HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest registry value from 0 (disabled) to 1 (enabled).1
enterprise T1111 Multi-Factor Authentication Interception During Operation Wocao, threat actors used a custom collection method to intercept two-factor authentication soft tokens.1
enterprise T1106 Native API During Operation Wocao, threat actors used the CreateProcessA and ShellExecute API functions to launch commands after being injected into a selected process.1
enterprise T1046 Network Service Discovery During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers.1
enterprise T1135 Network Share Discovery During Operation Wocao, threat actors discovered network disks mounted to the system using netstat.1
enterprise T1095 Non-Application Layer Protocol During Operation Wocao, threat actors used a custom protocol for command and control.1
enterprise T1571 Non-Standard Port During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.005 Indicator Removal from Tools During Operation Wocao, threat actors edited variable names within the Impacket suite to avoid automated detection.1
enterprise T1027.010 Command Obfuscation During Operation Wocao, threat actors executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool For Operation Wocao, the threat actors obtained a variety of open source tools, including JexBoss, KeeThief, and BloodHound.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory During Operation Wocao, threat actors used ProcDump to dump credentials from memory.1
enterprise T1003.006 DCSync During Operation Wocao, threat actors used Mimikatz‘s DCSync to dump credentials from the memory of the targeted system.1
enterprise T1120 Peripheral Device Discovery During Operation Wocao, threat actors discovered removable disks attached to a system.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups During Operation Wocao, threat actors used the command net localgroup administrators to list all administrators part of a local group.1
enterprise T1057 Process Discovery During Operation Wocao, the threat actors used tasklist to collect a list of running processes on an infected system.1
enterprise T1055 Process Injection During Operation Wocao, threat actors injected code into a selected process, which in turn launches a command as a child process of the original.1
enterprise T1090 Proxy During Operation Wocao, threat actors used a custom proxy tool called “Agent” which has support for multiple hops.1
enterprise T1090.001 Internal Proxy During Operation Wocao, threat actors proxied traffic through multiple infected systems.1
enterprise T1090.003 Multi-hop Proxy During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes.1
enterprise T1012 Query Registry During Operation Wocao, the threat actors executed /c cd /d c:\windows\temp\ & reg query HKEY_CURRENT_USER\Software\<username>\PuTTY\Sessions\ to detect recent PuTTY sessions, likely to further lateral movement.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares During Operation Wocao, threat actors used Impacket‘s smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.1
enterprise T1018 Remote System Discovery During Operation Wocao, threat actors used nbtscan and ping to discover remote systems, as well as dsquery subnet on a domain controller to retrieve all subnets in the Active Directory.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task During Operation Wocao, threat actors used scheduled tasks to execute malicious PowerShell code on remote systems.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell During Operation Wocao, threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.1
enterprise T1518 Software Discovery During Operation Wocao, threat actors collected a list of installed software on the infected system.1
enterprise T1518.001 Security Software Discovery During Operation Wocao, threat actors used scripts to detect security software.1
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting During Operation Wocao, threat actors used PowerSploit‘s Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.1
enterprise T1082 System Information Discovery During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.1
enterprise T1016 System Network Configuration Discovery During Operation Wocao, threat actors discovered the local network configuration with ipconfig.1
enterprise T1016.001 Internet Connection Discovery During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.1
enterprise T1049 System Network Connections Discovery During Operation Wocao, threat actors collected a list of open connections on the infected system using netstat and checks whether it has an internet connection.1
enterprise T1033 System Owner/User Discovery During Operation Wocao, threat actors enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.1
enterprise T1007 System Service Discovery During Operation Wocao, threat actors used the tasklist command to search for one of its backdoors.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution During Operation Wocao, threat actors created services on remote systems for execution purposes.1
enterprise T1124 System Time Discovery During Operation Wocao, threat actors used the time command to retrieve the current time of a compromised system.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.004 Private Keys During Operation Wocao, threat actors used Mimikatz to dump certificates and private keys from the Windows certificate store.1
enterprise T1078 Valid Accounts During Operation Wocao, threat actors used valid VPN credentials to gain initial access.1
enterprise T1078.002 Domain Accounts During Operation Wocao, threat actors used domain credentials, including domain admin, for lateral movement and privilege escalation.1
enterprise T1078.003 Local Accounts During Operation Wocao, threat actors used local account credentials found during the intrusion for lateral movement and privilege escalation.1
enterprise T1047 Windows Management Instrumentation During Operation Wocao, threat actors has used WMI to execute commands.1

Software

ID Name Description
S0521 BloodHound During Operation Wocao, threat actors used BloodHound discover trust between domains.1

References

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.