Skip to content

G0045 menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.910

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.62473910

Item Value
ID G0045
Associated Names Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH
Version 2.1
Created 31 May 2017
Last Modified 23 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Cicada 8
POTASSIUM 910
Stone Panda 619108
APT10 61598
Red Apollo 7910
CVNX 7910
HOGFISH 1

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.11
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains menuPass has registered malicious domains for use in intrusion campaigns.910
enterprise T1560 Archive Collected Data menuPass has encrypted files and information before exfiltration.910
enterprise T1560.001 Archive via Utility menuPass has compressed files before exfiltration using TAR and RAR.7118
enterprise T1119 Automated Collection menuPass has used the Csvde tool to collect Active Directory files and data.8
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell menuPass uses PowerSploit to inject shellcode into PowerShell.118
enterprise T1059.003 Windows Command Shell menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.711135 menuPass has used malicious macros embedded inside Office documents to execute files.15
enterprise T1005 Data from Local System menuPass has collected various files from the compromised computers.98
enterprise T1039 Data from Network Shared Drive menuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data.7
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.7
enterprise T1074.002 Remote Data Staging menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.78
enterprise T1140 Deobfuscate/Decode Files or Information menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.15
enterprise T1568 Dynamic Resolution -
enterprise T1568.001 Fast Flux DNS menuPass has used dynamic DNS service providers to host malicious domains.10
enterprise T1190 Exploit Public-Facing Application menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions.12
enterprise T1210 Exploitation of Remote Services menuPass has used tools to exploit the ZeroLogon vulnerability (CVE-2020-1472).8
enterprise T1083 File and Directory Discovery menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.8
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking menuPass has used DLL search order hijacking.7
enterprise T1574.002 DLL Side-Loading menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.1158
enterprise T1070 Indicator Removal -
enterprise T1070.003 Clear Command History menuPass has used Wevtutil to remove PowerShell execution logs.12
enterprise T1070.004 File Deletion A menuPass macro deletes files after it has decoded and decompressed them.110
enterprise T1105 Ingress Tool Transfer menuPass has installed updates and new malware on victims.710
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging menuPass has used key loggers to steal usernames and passwords.10
enterprise T1036 Masquerading menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files.5
enterprise T1036.003 Rename System Utilities menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.5
enterprise T1036.005 Match Legitimate Name or Location menuPass has been seen changing malicious files to appear legitimate.10
enterprise T1106 Native API menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.8
enterprise T1046 Network Service Discovery menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.11
enterprise T1027 Obfuscated Files or Information menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.158
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool menuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump.11
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.1113
enterprise T1003.003 NTDS menuPass has used Ntdsutil to dump credentials.8
enterprise T1003.004 LSA Secrets menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.1113
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.113510
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.1
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy menuPass has used a global service provider’s IP as a proxy for C2 traffic from a victim.35
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol menuPass has used RDP connections to move across the victim network.710
enterprise T1021.004 SSH menuPass has used Putty Secure Copy Client (PSCP) to transfer data.7
enterprise T1018 Remote System Discovery menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command net view /domain to a PlugX implant to gather information about remote systems on the network.113
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.11
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing menuPass has resized and added data to the certificate table to enable the signing of modified files with legitimate signatures.12
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.004 InstallUtil menuPass has used InstallUtil.exe to execute malicious software.11
enterprise T1016 System Network Configuration Discovery menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.11
enterprise T1049 System Network Connections Discovery menuPass has used net use to conduct connectivity checks to machines.7
enterprise T1199 Trusted Relationship menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.1138910
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.1131510
enterprise T1078 Valid Accounts menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments.781012
enterprise T1047 Windows Management Instrumentation menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.11138

Software

ID Name References Techniques
S0552 AdFind 8 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0160 certutil 158 Archive via Utility:Archive Collected Data Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0144 ChChes 11 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Symmetric Cryptography:Encrypted Channel File and Directory Discovery Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Process Discovery Code Signing:Subvert Trust Controls System Information Discovery
S0106 cmd 11 Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Lateral Tool Transfer System Information Discovery
S0154 Cobalt Strike 12 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0624 Ecipekac 12 Deobfuscate/Decode Files or Information DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Obfuscated Files or Information Code Signing:Subvert Trust Controls
S0404 esentutl 5 Data from Local System NTFS File Attributes:Hide Artifacts Ingress Tool Transfer Lateral Tool Transfer NTDS:OS Credential Dumping
S0152 EvilGrab 11 Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Keylogging:Input Capture Screen Capture Video Capture
S0628 FYAnti 12 Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Software Packing:Obfuscated Files or Information
S0357 Impacket 11 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0002 Mimikatz 11 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 11 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0626 P8RAT 12 Junk Data:Data Obfuscation Ingress Tool Transfer Process Discovery System Checks:Virtualization/Sandbox Evasion Time Based Evasion:Virtualization/Sandbox Evasion
S0097 Ping 113 Remote System Discovery
S0013 PlugX 1139 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0012 PoisonIvy 1110 Application Window Discovery Active Setup:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0194 PowerSploit 11 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0029 PsExec 113 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0006 pwdump 11 Security Account Manager:OS Credential Dumping
S0262 QuasarRAT 9812 Bypass User Account Control:Abuse Elevation Control Mechanism Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Data from Local System Symmetric Cryptography:Encrypted Channel Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Modify Registry Non-Application Layer Protocol Non-Standard Port Proxy Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Credentials In Files:Unsecured Credentials Video Capture
S0153 RedLeaves 119 Web Protocols:Application Layer Protocol Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Symmetric Cryptography:Encrypted Channel File and Directory Discovery DLL Search Order Hijacking:Hijack Execution Flow File Deletion:Indicator Removal Ingress Tool Transfer Non-Standard Port Obfuscated Files or Information Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery
S0159 SNUGRIDE 3 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel
S0627 SodaMaster 12 Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Ingress Tool Transfer Native API Obfuscated Files or Information Process Discovery Query Registry System Information Discovery System Owner/User Discovery System Checks:Virtualization/Sandbox Evasion Time Based Evasion:Virtualization/Sandbox Evasion
S0275 UPPERCUT 5 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel File and Directory Discovery Ingress Tool Transfer Screen Capture System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery

References

  1. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  2. Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017. 

  3. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  4. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014. 

  5. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  6. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. 

  7. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  8. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. 

  9. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. 

  10. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  11. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  12. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.