Skip to content

G0062 TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. 1

Item Value
ID G0062
Associated Names
Version 1.1
Created 18 April 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell TA459 has used PowerShell for execution of a payload.1
enterprise T1059.005 Visual Basic TA459 has a VBScript for execution.1
enterprise T1203 Exploitation for Client Execution TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.1

Software

ID Name References Techniques
S0032 gh0st RAT TA459 has used a Gh0st variant known as PCrat/Gh0st.1 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0033 NetTraveler 1 Application Window Discovery Keylogging:Input Capture
S0013 PlugX 1 DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0230 ZeroT 1 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Windows Service:Create or Modify System Process Steganography:Data Obfuscation Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Obfuscated Files or Information Software Packing:Obfuscated Files or Information Binary Padding:Obfuscated Files or Information System Information Discovery System Network Configuration Discovery

References

  1. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.