G0022 APT3
APT3 is a China-based threat group that researchers have attributed to China’s Ministry of State Security.12 This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.13 As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.4
In 2017, MITRE developed an APT3 Adversary Emulation Plan.5
| Item | Value |
|---|---|
| ID | G0022 |
| Associated Names | Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110 |
| Version | 1.4 |
| Created | 31 May 2017 |
| Last Modified | 01 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| Gothic Panda | 6 2 4 |
| Pirpi | 6 |
| UPS Team | 1 2 4 |
| Buckeye | 4 |
| Threat Group-0110 | 2 4 |
| TG-0110 | 2 4 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.4 |
| enterprise | T1098 | Account Manipulation | APT3 has been known to add created accounts to local admin groups to maintain elevated access.9 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | APT3 has used tools to compress data before exfilling it.9 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | APT3 places scripts in the startup folder for persistence.3 |
| enterprise | T1110 | Brute Force | - |
| enterprise | T1110.002 | Password Cracking | APT3 has been known to brute force password hashes to be able to leverage plain text credentials.5 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | APT3 has used PowerShell on victim systems to download and run payloads after exploitation.3 |
| enterprise | T1059.003 | Windows Command Shell | An APT3 downloader uses the Windows command “cmd.exe” /C whoami. The group also uses a tool to execute commands on remote computers.34 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | APT3 has been known to create or enable accounts, such as support_388945a0.9 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | APT3 has a tool that creates a new service for persistence.3 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | APT3 has used tools to dump passwords from browsers.4 |
| enterprise | T1005 | Data from Local System | APT3 will identify Microsoft Office documents on the victim’s computer.9 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | APT3 has been known to stage files for exfiltration in a single location.9 |
| enterprise | T1546 | Event Triggered Execution | - |
| enterprise | T1546.008 | Accessibility Features | APT3 replaces the Sticky Keys binary C:\Windows\System32\sethc.exe for persistence.9 |
| enterprise | T1041 | Exfiltration Over C2 Channel | APT3 has a tool that exfiltrates data over the C2 channel.7 |
| enterprise | T1203 | Exploitation for Client Execution | APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776.17 |
| enterprise | T1083 | File and Directory Discovery | APT3 has a tool that looks for files and directories on the local file system.78 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.3 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.710 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | APT3 has a tool that can delete files.7 |
| enterprise | T1105 | Ingress Tool Transfer | APT3 has a tool that can copy files to remote machines.7 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | APT3 has used a keylogging tool that records keystrokes in encrypted files.4 |
| enterprise | T1104 | Multi-Stage Channels | An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.3 |
| enterprise | T1095 | Non-Application Layer Protocol | An APT3 downloader establishes SOCKS5 connections for its initial C2.3 |
| enterprise | T1027 | Obfuscated Files or Information | APT3 obfuscates files or information to help evade defensive measures.4 |
| enterprise | T1027.002 | Software Packing | APT3 has been known to pack their tools.51 |
| enterprise | T1027.005 | Indicator Removal from Tools | APT3 has been known to remove indicators of compromise from tools.5 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument “dig.”4 |
| enterprise | T1069 | Permission Groups Discovery | APT3 has a tool that can enumerate the permissions associated with Windows groups.4 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | APT3 has sent spearphishing emails containing malicious links.1 |
| enterprise | T1057 | Process Discovery | APT3 has a tool that can list out currently running processes.78 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.002 | External Proxy | An APT3 downloader establishes SOCKS5 connections for its initial C2.3 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | APT3 enables the Remote Desktop Protocol for persistence.9 APT3 has also interacted with compromised systems to browse and copy files through RDP sessions.11 |
| enterprise | T1021.002 | SMB/Windows Admin Shares | APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.4 |
| enterprise | T1018 | Remote System Discovery | APT3 has a tool that can detect the existence of remote systems.47 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn “mysc” /tr C:\Users\Public\test.exe /sc ONLOGON /ru “System”.3 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | APT3 has a tool that can run DLLs.7 |
| enterprise | T1082 | System Information Discovery | APT3 has a tool that can obtain information about the local system.48 |
| enterprise | T1016 | System Network Configuration Discovery | A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.48 |
| enterprise | T1049 | System Network Connections Discovery | APT3 has a tool that can enumerate current network connections.478 |
| enterprise | T1033 | System Owner/User Discovery | An APT3 downloader uses the Windows command “cmd.exe” /C whoami to verify that it is running with the elevated privileges of “System.”3 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.4 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | APT3 has lured victims into clicking malicious links delivered through spearphishing.1 |
| enterprise | T1078 | Valid Accounts | - |
| enterprise | T1078.002 | Domain Accounts | APT3 leverages valid accounts after gaining credentials for use within the victim domain.4 |
Software
References
-
Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016. ↩↩↩↩↩↩↩↩
-
Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved June 18, 2017. ↩↩↩↩↩
-
Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018. ↩↩↩↩
-
Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016. ↩↩
-
Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. ↩↩↩↩↩↩↩↩↩↩
-
Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017. ↩↩↩↩↩
-
valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. ↩↩↩↩↩↩↩
-
Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016. ↩↩
-
Glyer, C. (2018, April 14). @cglyer Status Update. Retrieved October 11, 2018. ↩