Skip to content

G0073 APT19

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. 1 Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. 5 3 4

Item Value
ID G0073
Associated Names Codoso, C0d0so0, Codoso Team, Sunshop Group
Version 1.5
Created 17 October 2018
Last Modified 21 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Codoso 4
C0d0so0 4
Codoso Team 3
Sunshop Group 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.14
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder An APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\.4
enterprise T1059 Command and Scripting Interpreter APT19 downloaded and launched code within a SCT file.1
enterprise T1059.001 PowerShell APT19 used PowerShell commands to execute payloads.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service An APT19 Port 22 malware variant registers itself as a service.4
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.4
enterprise T1140 Deobfuscate/Decode Files or Information An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.4
enterprise T1189 Drive-by Compromise APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.4
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. 1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.4
enterprise T1112 Modify Registry APT19 uses a Port 22 malware variant to modify several Registry keys.4
enterprise T1027 Obfuscated Files or Information APT19 used Base64 to obfuscate payloads.1
enterprise T1027.010 Command Obfuscation APT19 used Base64 to obfuscate executed commands.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT19 has obtained and used publicly-available tools like Empire.61
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.010 Regsvr32 APT19 used Regsvr32 to bypass application control techniques.1
enterprise T1218.011 Rundll32 APT19 configured its payload to inject into the rundll32.exe.1
enterprise T1082 System Information Discovery APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.14
enterprise T1016 System Network Configuration Discovery APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.4
enterprise T1033 System Owner/User Discovery APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.4
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.1

Software

ID Name References Techniques
S0154 Cobalt Strike 1 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0363 Empire 6 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation

References

  1. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. 

  2. Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018. 

  3. FireEye. (n.d.). Advanced Persistent Threat Groups. Retrieved August 3, 2018. 

  4. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. 

  5. Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018. 

  6. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.