Skip to content

G0045 menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.12

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.3456712

Item Value
ID G0045
Associated Names Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH
Version 2.1
Created 31 May 2017
Last Modified 11 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Cicada 8
POTASSIUM 12
Stone Panda 39128
APT10 391018
Red Apollo 612
CVNX 612
HOGFISH 9

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.11
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains menuPass has registered malicious domains for use in intrusion campaigns.12
enterprise T1560 Archive Collected Data menuPass has encrypted files and information before exfiltration.12
enterprise T1560.001 Archive via Utility menuPass has compressed files before exfiltration using TAR and RAR.6118
enterprise T1119 Automated Collection menuPass has used the Csvde tool to collect Active Directory files and data.8
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell menuPass uses PowerSploit to inject shellcode into PowerShell.118
enterprise T1059.003 Windows Command Shell menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.6111310 menuPass has used malicious macros embedded inside Office documents to execute files.910
enterprise T1005 Data from Local System menuPass has collected various files from the compromised computers.18
enterprise T1039 Data from Network Shared Drive menuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data.6
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.6
enterprise T1074.002 Remote Data Staging menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.68
enterprise T1140 Deobfuscate/Decode Files or Information menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.910
enterprise T1568 Dynamic Resolution -
enterprise T1568.001 Fast Flux DNS menuPass has used dynamic DNS service providers to host malicious domains.2
enterprise T1190 Exploit Public-Facing Application menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions.12
enterprise T1210 Exploitation of Remote Services menuPass has used tools to exploit the ZeroLogon vulnerability (CVE-2020-1472).8
enterprise T1083 File and Directory Discovery menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.8
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking menuPass has used DLL search order hijacking.6
enterprise T1574.002 DLL Side-Loading menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.11108
enterprise T1070 Indicator Removal on Host -
enterprise T1070.003 Clear Command History menuPass has used Wevtutil to remove PowerShell execution logs.12
enterprise T1070.004 File Deletion A menuPass macro deletes files after it has decoded and decompressed them.92
enterprise T1105 Ingress Tool Transfer menuPass has installed updates and new malware on victims.62
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging menuPass has used key loggers to steal usernames and passwords.2
enterprise T1036 Masquerading menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files.10
enterprise T1036.003 Rename System Utilities menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.10
enterprise T1036.005 Match Legitimate Name or Location menuPass has been seen changing malicious files to appear legitimate.2
enterprise T1106 Native API menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.8
enterprise T1046 Network Service Discovery menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.11
enterprise T1027 Obfuscated Files or Information menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.9108
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool menuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump.11
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.1113
enterprise T1003.003 NTDS menuPass has used Ntdsutil to dump credentials.8
enterprise T1003.004 LSA Secrets menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.1113
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.117102
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.9
enterprise T1090 Proxy -
enterprise T1090.002 External Proxy menuPass has used a global service provider’s IP as a proxy for C2 traffic from a victim.710
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol menuPass has used RDP connections to move across the victim network.62
enterprise T1021.004 SSH menuPass has used Putty Secure Copy Client (PSCP) to transfer data.6
enterprise T1018 Remote System Discovery menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command net view /domain to a PlugX implant to gather information about remote systems on the network.117
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.11
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing menuPass has resized and added data to the certificate table to enable the signing of modified files with legitimate signatures.12
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.004 InstallUtil menuPass has used InstallUtil.exe to execute malicious software.11
enterprise T1016 System Network Configuration Discovery menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.11
enterprise T1049 System Network Connections Discovery menuPass has used net use to conduct connectivity checks to machines.6
enterprise T1199 Trusted Relationship menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.117812
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.1179102
enterprise T1078 Valid Accounts menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments.68212
enterprise T1047 Windows Management Instrumentation menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.11138

Software

ID Name References Techniques
S0552 AdFind 8 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0160 certutil - Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0144 ChChes - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Credentials from Web Browsers:Credentials from Password Stores Standard Encoding:Data Encoding Symmetric Cryptography:Encrypted Channel File and Directory Discovery Disable or Modify Tools:Impair Defenses Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Process Discovery Code Signing:Subvert Trust Controls System Information Discovery
S0106 cmd - Windows Command Shell:Command and Scripting Interpreter File and Directory Discovery File Deletion:Indicator Removal on Host Ingress Tool Transfer Lateral Tool Transfer System Information Discovery
S0154 Cobalt Strike - Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0624 Ecipekac - Deobfuscate/Decode Files or Information DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Obfuscated Files or Information Code Signing:Subvert Trust Controls
S0404 esentutl - Data from Local System NTFS File Attributes:Hide Artifacts Ingress Tool Transfer Lateral Tool Transfer NTDS:OS Credential Dumping
S0152 EvilGrab - Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Commonly Used Port Keylogging:Input Capture Screen Capture Video Capture
S0628 FYAnti - Deobfuscate/Decode Files or Information File and Directory Discovery Ingress Tool Transfer Software Packing:Obfuscated Files or Information
S0357 Impacket - LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0039 Net - Domain Account:Account Discovery Local Account:Account Discovery Domain Account:Create Account Local Account:Create Account Network Share Connection Removal:Indicator Removal on Host Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0626 P8RAT - Junk Data:Data Obfuscation Ingress Tool Transfer Process Discovery System Checks:Virtualization/Sandbox Evasion Time Based Evasion:Virtualization/Sandbox Evasion
S0097 Ping - Remote System Discovery
S0013 PlugX - DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Search Order Hijacking:Hijack Execution Flow DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Multiband Communication Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0012 PoisonIvy - Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Active Setup:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0194 PowerSploit - Access Token Manipulation Local Account:Account Discovery Audio Capture Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Keylogging:Input Capture Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Path Interception Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0006 pwdump - Security Account Manager:OS Credential Dumping
S0262 QuasarRAT - Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Proxy Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Code Signing:Subvert Trust Controls System Information Discovery Credentials In Files:Unsecured Credentials Video Capture
S0153 RedLeaves - Web Protocols:Application Layer Protocol Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Credentials from Web Browsers:Credentials from Password Stores Symmetric Cryptography:Encrypted Channel File and Directory Discovery DLL Search Order Hijacking:Hijack Execution Flow File Deletion:Indicator Removal on Host Ingress Tool Transfer Non-Standard Port Obfuscated Files or Information Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery
S0159 SNUGRIDE - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel
S0627 SodaMaster - Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Ingress Tool Transfer Native API Obfuscated Files or Information Process Discovery Query Registry System Information Discovery System Owner/User Discovery Time Based Evasion:Virtualization/Sandbox Evasion System Checks:Virtualization/Sandbox Evasion
S0275 UPPERCUT - Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel File and Directory Discovery Ingress Tool Transfer Screen Capture System Information Discovery System Network Configuration Discovery System Owner/User Discovery System Time Discovery

References


  1. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. 

  2. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. 

  3. Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017. 

  4. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014. 

  5. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. 

  6. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. 

  7. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. 

  8. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. 

  9. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. 

  10. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. 

  11. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. 

  12. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017. 

Back to top