1. Home
  2. Groups
  3. Axiom

Axiom

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]

ID: G0001
Associated Groups: Group 72
Version: 2.0
Created: 31 May 2017
Last Modified: 15 April 2022
Version Permalink

Associated Group Descriptions

Name Description
Group 72

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .002 Acquire Infrastructure: DNS Server

Axiom has acquired dynamic DNS services for use in the targeting of intended victims.[5]
.003 Acquire Infrastructure: Virtual Private Server

Axiom has used VPS hosting providers in targeting of intended victims.[5]
Enterprise T1560 Archive Collected Data

Axiom has compressed and encrypted data prior to exfiltration.[5]
Enterprise T1584 .005 Compromise Infrastructure: Botnet

Axiom has used large groups of compromised machines for use as proxy nodes.[5]
Enterprise T1005 Data from Local System

Axiom has collected data from a compromised network.[5]
Enterprise T1001 .002 Data Obfuscation: Steganography

Axiom has used steganography to hide its C2 communications.[5]
Enterprise T1189 Drive-by Compromise

Axiom has used watering hole attacks to gain access.[4]
Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.[5]
Enterprise T1190 Exploit Public-Facing Application

Axiom has been observed using SQL injection to gain access to systems.[5][4]
Enterprise T1203 Exploitation for Client Execution

Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893.[4]
Enterprise T1003 OS Credential Dumping

Axiom has been known to dump credentials.[5]
Enterprise T1566 Phishing

Axiom has used spear phishing to initially compromise victims.[4][5]
Enterprise T1563 .002 Remote Service Session Hijacking: RDP Hijacking

Axiom has targeted victims with remote administration tools including RDP.[5]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Axiom has used RDP during operations.[5]
Enterprise T1553 Subvert Trust Controls

Axiom has used digital certificates to deliver malware.[5]
Enterprise T1078 Valid Accounts

Axiom has used previously compromised administrative accounts to escalate privileges.[5]

Software

ID Name References Techniques
S0021 Derusbi [5][4] Audio Capture, Command and Scripting Interpreter: Unix Shell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, System Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0032 gh0st RAT [4][5] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0009 Hikit [5][4] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer, Phishing, Proxy: Internal Proxy, Rootkit, Subvert Trust Controls: Install Root Certificate, Subvert Trust Controls: Code Signing Policy Modification
S0203 Hydraq [5][4] Access Token Manipulation, Create or Modify System Process: Windows Service, Data from Local System, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Alternative Protocol, File and Directory Discovery, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, Shared Modules, System Information Discovery, System Network Configuration Discovery, System Service Discovery, System Services: Service Execution
S0013 PlugX [4][5] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012 PoisonIvy [4][5] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0672 Zox [5] Data from Local System, Data Obfuscation: Steganography, Exploitation for Privilege Escalation, File and Directory Discovery, Ingress Tool Transfer, Obfuscated Files or Information, Process Discovery, Remote Services: SMB/Windows Admin Shares, System Information Discovery
S0412 ZxShell [6][4] Access Token Manipulation: Create Process with Token, Application Layer Protocol: File Transfer Protocols, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Create or Modify System Process: Windows Service, Data from Local System, Endpoint Denial of Service, Exploit Public-Facing Application, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Modify Registry, Native API, Network Service Discovery, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Query Registry, Remote Services: VNC, Remote Services: Remote Desktop Protocol, Screen Capture, System Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, System Service Discovery, System Services: Service Execution, Video Capture

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  2. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
  3. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  1. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  2. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  3. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.