G0114 Chimera
Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.12
Item | Value |
---|---|
ID | G0114 |
Associated Names | |
Version | 2.2 |
Created | 24 August 2020 |
Last Modified | 22 March 2023 |
Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
enterprise | T1087 | Account Discovery | - |
enterprise | T1087.001 | Local Account | Chimera has used net user for account discovery.2 |
enterprise | T1087.002 | Domain Account | Chimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts.12 |
enterprise | T1071 | Application Layer Protocol | - |
enterprise | T1071.001 | Web Protocols | Chimera has used HTTPS for C2 communications.2 |
enterprise | T1071.004 | DNS | Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.2 |
enterprise | T1560 | Archive Collected Data | - |
enterprise | T1560.001 | Archive via Utility | Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.12 |
enterprise | T1119 | Automated Collection | Chimera has used custom DLLs for continuous retrieval of data from memory.2 |
enterprise | T1217 | Browser Information Discovery | Chimera has used type \ for bookmark discovery.2 |
enterprise | T1110 | Brute Force | - |
enterprise | T1110.003 | Password Spraying | Chimera has used multiple password spraying attacks against victim’s remote services to obtain valid user and administrator accounts.2 |
enterprise | T1110.004 | Credential Stuffing | Chimera has used credential stuffing against victim’s remote services to obtain valid accounts.2 |
enterprise | T1059 | Command and Scripting Interpreter | - |
enterprise | T1059.001 | PowerShell | Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.12 |
enterprise | T1059.003 | Windows Command Shell | Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.2 |
enterprise | T1213 | Data from Information Repositories | - |
enterprise | T1213.002 | Sharepoint | Chimera has collected documents from the victim’s SharePoint.2 |
enterprise | T1039 | Data from Network Shared Drive | Chimera has collected data of interest from network shares.2 |
enterprise | T1074 | Data Staged | - |
enterprise | T1074.001 | Local Data Staging | Chimera has staged stolen data locally on compromised hosts.2 |
enterprise | T1074.002 | Remote Data Staging | Chimera has staged stolen data on designated servers in the target environment.2 |
enterprise | T1482 | Domain Trust Discovery | Chimera has nltest /domain_trusts to identify domain trust relationships.2 |
enterprise | T1114 | Email Collection | - |
enterprise | T1114.001 | Local Email Collection | Chimera has harvested data from victim’s e-mail including through execution of wmic /node: |
copy.2 | |||
enterprise | T1114.002 | Remote Email Collection | Chimera has harvested data from remote mailboxes including through execution of \ .2 |
enterprise | T1041 | Exfiltration Over C2 Channel | Chimera has used Cobalt Strike C2 beacons for data exfiltration.2 |
enterprise | T1567 | Exfiltration Over Web Service | - |
enterprise | T1567.002 | Exfiltration to Cloud Storage | Chimera has exfiltrated stolen data to OneDrive accounts.2 |
enterprise | T1133 | External Remote Services | Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.12 |
enterprise | T1083 | File and Directory Discovery | Chimera has utilized multiple commands to identify data of interest in file and directory listings.2 |
enterprise | T1589 | Gather Victim Identity Information | - |
enterprise | T1589.001 | Credentials | Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.2 |
enterprise | T1574 | Hijack Execution Flow | - |
enterprise | T1574.002 | DLL Side-Loading | Chimera has used side loading to place malicious DLLs in memory.2 |
enterprise | T1070 | Indicator Removal | - |
enterprise | T1070.001 | Clear Windows Event Logs | Chimera has cleared event logs on compromised hosts.2 |
enterprise | T1070.004 | File Deletion | Chimera has performed file deletion to evade detection.1 |
enterprise | T1070.006 | Timestomp | Chimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs.2 |
enterprise | T1105 | Ingress Tool Transfer | Chimera has remotely copied tools and malware onto targeted systems.1 |
enterprise | T1570 | Lateral Tool Transfer | Chimera has copied tools between compromised hosts using SMB.2 |
enterprise | T1036 | Masquerading | - |
enterprise | T1036.005 | Match Legitimate Name or Location | Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.1 |
enterprise | T1556 | Modify Authentication Process | - |
enterprise | T1556.001 | Domain Controller Authentication | Chimera‘s malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.1 |
enterprise | T1111 | Multi-Factor Authentication Interception | Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.2 |
enterprise | T1106 | Native API | Chimera has used direct Windows system calls by leveraging Dumpert.1 |
enterprise | T1046 | Network Service Discovery | Chimera has used the get -b command for network scanning as well as a custom Python tool packed into a Windows executable named Get.exe to scan IP ranges for HTTP.2 |
enterprise | T1135 | Network Share Discovery | Chimera has used net share and net view to identify network shares of interest.2 |
enterprise | T1027 | Obfuscated Files or Information | - |
enterprise | T1027.010 | Command Obfuscation | Chimera has encoded PowerShell commands.1 |
enterprise | T1588 | Obtain Capabilities | - |
enterprise | T1588.002 | Tool | Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.12 |
enterprise | T1003 | OS Credential Dumping | - |
enterprise | T1003.003 | NTDS | Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.1 Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via msadcs.exe “NTDS.dit” -s “SYSTEM” -p RecordedTV_pdmp.txt –users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.2 |
enterprise | T1201 | Password Policy Discovery | Chimera has used the NtdsAudit utility to collect information related to accounts and passwords.2 |
enterprise | T1069 | Permission Groups Discovery | - |
enterprise | T1069.001 | Local Groups | Chimera has used net localgroup administrators to identify accounts with local administrative rights.2 |
enterprise | T1057 | Process Discovery | Chimera has used tasklist to enumerate processes.2 |
enterprise | T1572 | Protocol Tunneling | Chimera has encapsulated Cobalt Strike‘s C2 protocol in DNS and HTTPS.2 |
enterprise | T1012 | Query Registry | Chimera has queried Registry keys using reg query \ and reg query \ .2 |
enterprise | T1021 | Remote Services | - |
enterprise | T1021.001 | Remote Desktop Protocol | Chimera has used RDP to access targeted systems.1 |
enterprise | T1021.002 | SMB/Windows Admin Shares | Chimera has used Windows admin shares to move laterally.12 |
enterprise | T1021.006 | Windows Remote Management | Chimera has used WinRM for lateral movement.2 |
enterprise | T1018 | Remote System Discovery | Chimera has utilized various scans and queries to find domain controllers and remote services in the target environment.2 |
enterprise | T1053 | Scheduled Task/Job | - |
enterprise | T1053.005 | Scheduled Task | Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks /create /ru “SYSTEM” /tn “update” /tr “cmd /c c:\windows\temp\update.bat” /sc once /f /st and to maintain persistence.12 |
enterprise | T1082 | System Information Discovery | Chimera has used fsutil fsinfo drives , systeminfo , and vssadmin list shadows for system information including shadow volumes and drive information.2 |
enterprise | T1016 | System Network Configuration Discovery | Chimera has used ipconfig, Ping, and tracert to enumerate the IP address and network environment and settings of the local host.2 |
enterprise | T1049 | System Network Connections Discovery | Chimera has used netstat -ano |
enterprise | T1033 | System Owner/User Discovery | Chimera has used the quser command to show currently logged on users.2 |
enterprise | T1007 | System Service Discovery | Chimera has used net start and net use for system service discovery.2 |
enterprise | T1569 | System Services | - |
enterprise | T1569.002 | Service Execution | Chimera has used PsExec to deploy beacons on compromised systems.2 |
enterprise | T1124 | System Time Discovery | Chimera has used time /t and net time \ip/hostname for system time discovery.2 |
enterprise | T1550 | Use Alternate Authentication Material | - |
enterprise | T1550.002 | Pass the Hash | Chimera has dumped password hashes for use in pass the hash authentication attacks.2 |
enterprise | T1078 | Valid Accounts | Chimera has used a valid account to maintain persistence via scheduled task.1 |
enterprise | T1078.002 | Domain Accounts | Chimera has used compromised domain accounts to gain access to the target environment.2 |
enterprise | T1047 | Windows Management Instrumentation | Chimera has used WMIC to execute remote commands.12 |
Software
References
-
Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩