Skip to content

G0116 Operation Wocao

Operation Wocao described activities carried out by a China-based cyber espionage adversary. Operation Wocao targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. Operation Wocao used similar TTPs and tools to APT20, suggesting a possible overlap.1

Item Value
ID G0116
Associated Names
Version 1.0
Created 17 November 2020
Last Modified 25 March 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Operation Wocao has used the net command to retrieve information about domain accounts.1
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Operation Wocao has archived collected files with WinRAR, prior to exfiltration.1
enterprise T1119 Automated Collection Operation Wocao has used a script to collect information about the infected system.1
enterprise T1115 Clipboard Data Operation Wocao has collected clipboard data in plaintext.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Operation Wocao has used PowerShell on compromised systems.1
enterprise T1059.003 Windows Command Shell Operation Wocao has spawned a new cmd.exe process to execute commands.1
enterprise T1059.005 Visual Basic Operation Wocao has used a VBScript to conduct reconnaissance on targeted systems.1
enterprise T1059.006 Python Operation Wocao‘s backdoors have been written in Python and compiled with py2exe.1
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers Operation Wocao has accessed and collected credentials from password managers.1
enterprise T1005 Data from Local System Operation Wocao has exfiltrated files and directories of interest from the targeted system.1
enterprise T1001 Data Obfuscation Operation Wocao has encrypted IP addresses used for “Agent” proxy hops with RC4.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Operation Wocao has staged archived files in a temporary directory prior to exfiltration.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography Operation Wocao‘s proxy implementation “Agent” can upgrade the socket in use to a TLS socket.1
enterprise T1041 Exfiltration Over C2 Channel Operation Wocao has used the Xserver backdoor to exfiltrate data.1
enterprise T1190 Exploit Public-Facing Application Operation Wocao has gained initial access via vulnerable webservers.1
enterprise T1133 External Remote Services Operation Wocao has used stolen credentials to connect to the victim’s network via VPN.1
enterprise T1083 File and Directory Discovery Operation Wocao has gathered a recursive directory listing to find files and directories of interest.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Operation Wocao has used PowerShell to add and delete rules in the Windows firewall.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs Operation Wocao has deleted Windows Event Logs to hinder forensic investigation.1
enterprise T1070.004 File Deletion Operation Wocao has deleted logs and executable files used during an intrusion.1
enterprise T1105 Ingress Tool Transfer Operation Wocao can download additional files to the infected system.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Operation Wocao has obtained the password for the victim’s password manager via a custom keylogger.1
enterprise T1570 Lateral Tool Transfer Operation Wocao has used SMB to copy files to and from target systems.1
enterprise T1112 Modify Registry Operation Wocao has enabled Wdigest by changing the registry value from 0 to 1.1
enterprise T1111 Multi-Factor Authentication Interception Operation Wocao has used a custom collection method to intercept two-factor authentication soft tokens.1
enterprise T1106 Native API Operation Wocao has used the CreateProcessA and ShellExecute API function to launch commands after being injected into a selected process.1
enterprise T1046 Network Service Discovery Operation Wocao has scanned for open ports and used nbtscan to find NETBIOS nameservers.1
enterprise T1135 Network Share Discovery Operation Wocao has discovered network disks mounted to the system using netstat.1
enterprise T1095 Non-Application Layer Protocol Operation Wocao has used a custom protocol for command and control.1
enterprise T1027 Obfuscated Files or Information Operation Wocao has executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.1
enterprise T1027.005 Indicator Removal from Tools Operation Wocao has edited variable names within the Impacket suite to avoid automated detection.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Operation Wocao has used ProcDump to dump credentials from memory.1
enterprise T1003.006 DCSync Operation Wocao has used Mimikatz’s DCSync to dump credentials from the memory of the targeted system.1
enterprise T1120 Peripheral Device Discovery Operation Wocao has discovered removable disks attached to a system.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups Operation Wocao has used the command net localgroup administrators to list all administrators part of a local group.1
enterprise T1057 Process Discovery Operation Wocao has collected a list of running processes on the infected system.1
enterprise T1055 Process Injection Operation Wocao has injected code into a selected process, which in turn launches a command as a child process of the original.1
enterprise T1090 Proxy Operation Wocao has used a custom proxy tool called “Agent” which has support for multiple hops.1
enterprise T1090.001 Internal Proxy Operation Wocao can proxy traffic through multiple infected systems.1
enterprise T1090.003 Multi-hop Proxy Operation Wocao has executed commands through the installed web shell via Tor exit nodes.1
enterprise T1012 Query Registry Operation Wocao has queried the registry to detect recent PuTTY sessions.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Operation Wocao has used Impacket’s smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.1
enterprise T1018 Remote System Discovery Operation Wocao can use the ping command to discover remote systems.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems.1
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Operation Wocao has used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.1
enterprise T1518 Software Discovery Operation Wocao has collected a list of installed software on the infected system.1
enterprise T1518.001 Security Software Discovery Operation Wocao has used scripts to detect security software.1
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting Operation Wocao has used PowerSploit’s Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.1
enterprise T1082 System Information Discovery Operation Wocao has discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.1
enterprise T1016 System Network Configuration Discovery Operation Wocao has discovered the local network configuration with ipconfig.1
enterprise T1049 System Network Connections Discovery Operation Wocao has collected a list of open connections on the infected system using netstat and checks whether it has an internet connection.1
enterprise T1033 System Owner/User Discovery Operation Wocao has enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.1
enterprise T1007 System Service Discovery Operation Wocao has used the tasklist command to search for one of its backdoors.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Operation Wocao has created services on remote systems for execution purposes.1
enterprise T1124 System Time Discovery Operation Wocao has used the time command to retrieve the current time of a compromised system.1
enterprise T1552 Unsecured Credentials -
enterprise T1552.004 Private Keys Operation Wocao has used Mimikatz to dump certificates and private keys from the Windows certificate store.1
enterprise T1078 Valid Accounts Operation Wocao has used valid VPN credentials to gain initial access.1
enterprise T1078.002 Domain Accounts Operation Wocao has used domain credentials, including domain admin, for lateral movement and privilege escalation.1
enterprise T1078.003 Local Accounts Operation Wocao has used local account credentials found during the intrusion for lateral movement and privilege escalation.1
enterprise T1047 Windows Management Instrumentation Operation Wocao has used WMI to execute commands.1

Software

ID Name References Techniques
S0521 BloodHound 1 Domain Account:Account Discovery Local Account:Account Discovery Archive Collected Data PowerShell:Command and Scripting Interpreter Domain Trust Discovery Group Policy Discovery Native API Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Owner/User Discovery
S0105 dsquery - Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery
S0357 Impacket - LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0104 netstat - System Network Connections Discovery
S0194 PowerSploit - Access Token Manipulation Local Account:Account Discovery Audio Capture Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Keylogging:Input Capture Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Path Interception Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation

References

Back to top