Skip to content

G0001 Axiom

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.253

Item Value
ID G0001
Associated Names Group 72
Version 2.0
Created 31 May 2017
Last Modified 20 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Group 72 1

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.002 DNS Server Axiom has acquired dynamic DNS services for use in the targeting of intended victims.4
enterprise T1583.003 Virtual Private Server Axiom has used VPS hosting providers in targeting of intended victims.4
enterprise T1560 Archive Collected Data Axiom has compressed and encrypted data prior to exfiltration.4
enterprise T1584 Compromise Infrastructure -
enterprise T1584.005 Botnet Axiom has used large groups of compromised machines for use as proxy nodes.4
enterprise T1005 Data from Local System Axiom has collected data from a compromised network.4
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography Axiom has used steganography to hide its C2 communications.4
enterprise T1189 Drive-by Compromise Axiom has used watering hole attacks to gain access.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.008 Accessibility Features Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.4
enterprise T1190 Exploit Public-Facing Application Axiom has been observed using SQL injection to gain access to systems.41
enterprise T1203 Exploitation for Client Execution Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893.1
enterprise T1003 OS Credential Dumping Axiom has been known to dump credentials.4
enterprise T1566 Phishing Axiom has used spear phishing to initially compromise victims.14
enterprise T1563 Remote Service Session Hijacking -
enterprise T1563.002 RDP Hijacking Axiom has targeted victims with remote administration tools including RDP.4
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Axiom has used RDP during operations.4
enterprise T1553 Subvert Trust Controls Axiom has used digital certificates to deliver malware.4
enterprise T1078 Valid Accounts Axiom has used previously compromised administrative accounts to escalate privileges.4

Software

ID Name References Techniques
S0021 Derusbi 41 Audio Capture Unix Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Fallback Channels File and Directory Discovery File Deletion:Indicator Removal Timestomp:Indicator Removal Keylogging:Input Capture Non-Application Layer Protocol Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Screen Capture Regsvr32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Video Capture
S0032 gh0st RAT 14 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0009 Hikit 41 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Data from Local System Symmetric Cryptography:Encrypted Channel DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Phishing Internal Proxy:Proxy Rootkit Code Signing Policy Modification:Subvert Trust Controls Install Root Certificate:Subvert Trust Controls
S0203 Hydraq 41 Access Token Manipulation Windows Service:Create or Modify System Process Data from Local System Symmetric Cryptography:Encrypted Channel Exfiltration Over Alternative Protocol File and Directory Discovery File Deletion:Indicator Removal Clear Windows Event Logs:Indicator Removal Ingress Tool Transfer Modify Registry Obfuscated Files or Information Process Discovery Query Registry Screen Capture Shared Modules System Information Discovery System Network Configuration Discovery System Service Discovery Service Execution:System Services
S0013 PlugX 14 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0012 PoisonIvy 14 Application Window Discovery Active Setup:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0672 Zox 4 Data from Local System Steganography:Data Obfuscation Exploitation for Privilege Escalation File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information Process Discovery SMB/Windows Admin Shares:Remote Services System Information Discovery
S0412 ZxShell 61 Create Process with Token:Access Token Manipulation Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Local Account:Create Account Windows Service:Create or Modify System Process Data from Local System Endpoint Denial of Service Exploit Public-Facing Application File and Directory Discovery Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses File Deletion:Indicator Removal Clear Windows Event Logs:Indicator Removal Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Modify Registry Native API Network Service Discovery Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Proxy Query Registry Remote Desktop Protocol:Remote Services VNC:Remote Services Screen Capture Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery System Service Discovery Service Execution:System Services Video Capture

References

  1. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016. 

  2. Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. 

  3. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. 

  4. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. 

  5. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016. 

  6. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.