Skip to content

G0062 TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. 1

Item Value
ID G0062
Associated Names
Version 1.1
Created 18 April 2018
Last Modified 25 April 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell TA459 has used PowerShell for execution of a payload.1
enterprise T1059.005 Visual Basic TA459 has a VBScript for execution.1
enterprise T1203 Exploitation for Client Execution TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.1

Software

ID Name References Techniques
S0032 gh0st RAT TA459 has used a Gh0st variant known as PCrat/Gh0st.1 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0033 NetTraveler 1 Application Window Discovery Keylogging:Input Capture
S0013 PlugX 1 Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Local Data Staging:Data Staged Debugger Evasion Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Mutual Exclusion:Execution Guardrails Exfiltration Over C2 Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Hidden Window:Hide Artifacts DLL:Hijack Execution Flow Disable or Modify System Firewall:Impair Defenses Clear Persistence:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Local Storage Discovery Masquerade Task or Service:Masquerading Match Legitimate Resource Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Non-Standard Port Binary Padding:Obfuscated Files or Information Dynamic API Resolution:Obfuscated Files or Information Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information Peripheral Device Discovery Process Discovery Query Registry Reflective Code Loading Replication Through Removable Media Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Location Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery MSBuild:Trusted Developer Utilities Proxy Execution Malicious File:User Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0230 ZeroT 1 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Windows Service:Create or Modify System Process Steganography:Data Obfuscation Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel DLL:Hijack Execution Flow Ingress Tool Transfer Junk Code Insertion:Obfuscated Files or Information Software Packing:Obfuscated Files or Information Encrypted/Encoded File:Obfuscated Files or Information System Information Discovery System Network Configuration Discovery

References

  1. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.