Skip to content

G0026 APT18

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. 1

Item Value
ID G0026
Associated Names TG-0416, Dynamite Panda, Threat Group-0416
Version 2.1
Created 31 May 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
TG-0416 23
Dynamite Panda 23
Threat Group-0416 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT18 uses HTTP for C2 communications.4
enterprise T1071.004 DNS APT18 uses DNS for C2 communications.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.34
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell APT18 uses cmd.exe to execute commands on the victim’s machine.43
enterprise T1133 External Remote Services APT18 actors leverage legitimate credentials to log into external remote services.5
enterprise T1083 File and Directory Discovery APT18 can list files information for specific directories.4
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion APT18 actors deleted tools and batch files from victim systems.1
enterprise T1105 Ingress Tool Transfer APT18 can upload a file to the victim’s machine.4
enterprise T1027 Obfuscated Files or Information APT18 obfuscates strings in the payload.4
enterprise T1053 Scheduled Task/Job -
enterprise T1053.002 At APT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.1
enterprise T1082 System Information Discovery APT18 can collect system information from the victim’s machine.4
enterprise T1078 Valid Accounts APT18 actors leverage legitimate credentials to log into external remote services.5

Software

ID Name References Techniques
S0106 cmd 1 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Lateral Tool Transfer System Information Discovery
S0032 gh0st RAT 5 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0071 hcdLoader 12 Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process
S0070 HTTPBrowser 5 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Obfuscated Files or Information
S0124 Pisloader 6 DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding File and Directory Discovery Ingress Tool Transfer Obfuscated Files or Information System Information Discovery System Network Configuration Discovery

References

  1. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. 

  2. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016. 

  3. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018. 

  4. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. 

  5. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017. 

  6. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.