Skip to content

G0114 Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.12

Item Value
ID G0114
Associated Names
Version 2.2
Created 24 August 2020
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Chimera has used net user for account discovery.2
enterprise T1087.002 Domain Account Chimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts.12
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Chimera has used HTTPS for C2 communications.2
enterprise T1071.004 DNS Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.2
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.12
enterprise T1119 Automated Collection Chimera has used custom DLLs for continuous retrieval of data from memory.2
enterprise T1217 Browser Information Discovery Chimera has used type \\c$\Users\\Favorites\Links\Bookmarks bar\Imported From IE*citrix* for bookmark discovery.2
enterprise T1110 Brute Force -
enterprise T1110.003 Password Spraying Chimera has used multiple password spraying attacks against victim’s remote services to obtain valid user and administrator accounts.2
enterprise T1110.004 Credential Stuffing Chimera has used credential stuffing against victim’s remote services to obtain valid accounts.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.12
enterprise T1059.003 Windows Command Shell Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.2
enterprise T1213 Data from Information Repositories -
enterprise T1213.002 Sharepoint Chimera has collected documents from the victim’s SharePoint.2
enterprise T1039 Data from Network Shared Drive Chimera has collected data of interest from network shares.2
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Chimera has staged stolen data locally on compromised hosts.2
enterprise T1074.002 Remote Data Staging Chimera has staged stolen data on designated servers in the target environment.2
enterprise T1482 Domain Trust Discovery Chimera has nltest /domain_trusts to identify domain trust relationships.2
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection Chimera has harvested data from victim’s e-mail including through execution of wmic /node: process call create “cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst” copy “i:\\\My Documents\.pst”
copy.2
enterprise T1114.002 Remote Email Collection Chimera has harvested data from remote mailboxes including through execution of \\c$\Users\\AppData\Local\Microsoft\Outlook*.ost.2
enterprise T1041 Exfiltration Over C2 Channel Chimera has used Cobalt Strike C2 beacons for data exfiltration.2
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Chimera has exfiltrated stolen data to OneDrive accounts.2
enterprise T1133 External Remote Services Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.12
enterprise T1083 File and Directory Discovery Chimera has utilized multiple commands to identify data of interest in file and directory listings.2
enterprise T1589 Gather Victim Identity Information -
enterprise T1589.001 Credentials Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.2
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Chimera has used side loading to place malicious DLLs in memory.2
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs Chimera has cleared event logs on compromised hosts.2
enterprise T1070.004 File Deletion Chimera has performed file deletion to evade detection.1
enterprise T1070.006 Timestomp Chimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs.2
enterprise T1105 Ingress Tool Transfer Chimera has remotely copied tools and malware onto targeted systems.1
enterprise T1570 Lateral Tool Transfer Chimera has copied tools between compromised hosts using SMB.2
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.1
enterprise T1556 Modify Authentication Process -
enterprise T1556.001 Domain Controller Authentication Chimera‘s malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.1
enterprise T1111 Multi-Factor Authentication Interception Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.2
enterprise T1106 Native API Chimera has used direct Windows system calls by leveraging Dumpert.1
enterprise T1046 Network Service Discovery Chimera has used the get -b -e -p command for network scanning as well as a custom Python tool packed into a Windows executable named Get.exe to scan IP ranges for HTTP.2
enterprise T1135 Network Share Discovery Chimera has used net share and net view to identify network shares of interest.2
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation Chimera has encoded PowerShell commands.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.12
enterprise T1003 OS Credential Dumping -
enterprise T1003.003 NTDS Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.1 Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via msadcs.exe “NTDS.dit” -s “SYSTEM” -p RecordedTV_pdmp.txt –users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.2
enterprise T1201 Password Policy Discovery Chimera has used the NtdsAudit utility to collect information related to accounts and passwords.2
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Chimera has used net localgroup administrators to identify accounts with local administrative rights.2
enterprise T1057 Process Discovery Chimera has used tasklist to enumerate processes.2
enterprise T1572 Protocol Tunneling Chimera has encapsulated Cobalt Strike‘s C2 protocol in DNS and HTTPS.2
enterprise T1012 Query Registry Chimera has queried Registry keys using reg query \\HKU\\SOFTWARE\Microsoft\Terminal Server Client\Servers and reg query \\HKU\\Software\Microsoft\Windows\CurrentVersion\Internet Settings.2
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Chimera has used RDP to access targeted systems.1
enterprise T1021.002 SMB/Windows Admin Shares Chimera has used Windows admin shares to move laterally.12
enterprise T1021.006 Windows Remote Management Chimera has used WinRM for lateral movement.2
enterprise T1018 Remote System Discovery Chimera has utilized various scans and queries to find domain controllers and remote services in the target environment.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks /create /ru “SYSTEM” /tn “update” /tr “cmd /c c:\windows\temp\update.bat” /sc once /f /st and to maintain persistence.12
enterprise T1082 System Information Discovery Chimera has used fsutil fsinfo drives, systeminfo, and vssadmin list shadows for system information including shadow volumes and drive information.2
enterprise T1016 System Network Configuration Discovery Chimera has used ipconfig, Ping, and tracert to enumerate the IP address and network environment and settings of the local host.2
enterprise T1049 System Network Connections Discovery Chimera has used netstat -ano
enterprise T1033 System Owner/User Discovery Chimera has used the quser command to show currently logged on users.2
enterprise T1007 System Service Discovery Chimera has used net start and net use for system service discovery.2
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Chimera has used PsExec to deploy beacons on compromised systems.2
enterprise T1124 System Time Discovery Chimera has used time /t and net time \ip/hostname for system time discovery.2
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash Chimera has dumped password hashes for use in pass the hash authentication attacks.2
enterprise T1078 Valid Accounts Chimera has used a valid account to maintain persistence via scheduled task.1
enterprise T1078.002 Domain Accounts Chimera has used compromised domain accounts to gain access to the target environment.2
enterprise T1047 Windows Management Instrumentation Chimera has used WMIC to execute remote commands.12

Software

ID Name References Techniques
S0521 BloodHound 1 Local Account:Account Discovery Domain Account:Account Discovery Archive Collected Data PowerShell:Command and Scripting Interpreter Domain Trust Discovery Group Policy Discovery Native API Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Owner/User Discovery
S0154 Cobalt Strike 12 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0404 esentutl 2 Data from Local System NTFS File Attributes:Hide Artifacts Ingress Tool Transfer Lateral Tool Transfer NTDS:OS Credential Dumping
S0002 Mimikatz 12 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0039 Net 2 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0029 PsExec 2 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services

References