G0128 ZIRCONIUM
ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.12
| Item | Value |
|---|---|
| ID | G0128 |
| Associated Names | APT31 |
| Version | 1.1 |
| Created | 24 March 2021 |
| Last Modified | 22 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| APT31 | 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | ZIRCONIUM has purchased domains for use in targeted campaigns.1 |
| enterprise | T1583.006 | Web Services | ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.43 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | ZIRCONIUM has created a Registry Run key named Dropbox Update Setup to establish persistence for a malicious Python binary.3 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.3 |
| enterprise | T1059.006 | Python | ZIRCONIUM has used Python-based implants to interact with compromised hosts.43 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.3 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | ZIRCONIUM has used AES encrypted communications in C2.3 |
| enterprise | T1041 | Exfiltration Over C2 Channel | ZIRCONIUM has exfiltrated files via the Dropbox API C2.3 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | ZIRCONIUM has exfiltrated stolen data to Dropbox.3 |
| enterprise | T1068 | Exploitation for Privilege Escalation | ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation.2 |
| enterprise | T1105 | Ingress Tool Transfer | ZIRCONIUM has used tools to download malicious files to compromised hosts.3 |
| enterprise | T1036 | Masquerading | ZIRCONIUM has spoofed legitimate applications in phishing lures and changed file extensions to conceal installation of malware.43 |
| enterprise | T1036.004 | Masquerade Task or Service | ZIRCONIUM has created a run key named Dropbox Update Setup to mask a persistence mechanism for a malicious binary.3 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | ZIRCONIUM has used multi-stage packers for exploit code.2 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.002 | Spearphishing Link | ZIRCONIUM has used malicious links in e-mails to deliver malware.143 |
| enterprise | T1598 | Phishing for Information | ZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails.4 |
| enterprise | T1598.003 | Spearphishing Link | ZIRCONIUM has used web beacons in e-mails to track hits to attacker-controlled URL’s.1 |
| enterprise | T1012 | Query Registry | ZIRCONIUM has used a tool to query the Registry for proxy settings.3 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.007 | Msiexec | ZIRCONIUM has used the msiexec.exe command-line utility to download and execute malicious MSI files.3 |
| enterprise | T1082 | System Information Discovery | ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.3 |
| enterprise | T1016 | System Network Configuration Discovery | ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.3 |
| enterprise | T1033 | System Owner/User Discovery | ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.3 |
| enterprise | T1124 | System Time Discovery | ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.43 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.43 |
References
-
Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021. ↩↩↩↩
-
Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021. ↩↩↩↩↩
-
Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Huntley, S. (2020, October 16). How We’re Tackling Evolving Online Threats. Retrieved March 24, 2021. ↩↩↩↩↩↩↩