Axiom

Axiom is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. [1] Though both this group and Winnti Group use the malware Winnti for Windows, the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. [2] [3] [4]

ID: G0001
Associated Groups: Group 72
Version: 1.2
Created: 31 May 2017
Last Modified: 30 March 2020

Associated Group Descriptions

Name Description
Group 72 [5]

Techniques Used

Domain ID Name Use
Enterprise T1001 Data Obfuscation

The Axiom group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate.

.002 Steganography

Some malware that has been used by Axiom also uses steganography to hide communication in PNG image files.[1]

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.[1]

Enterprise T1190 Exploit Public-Facing Application

Axiom has been observed using SQL injection to gain access to systems.[1][5]

Enterprise T1003 OS Credential Dumping

Axiom has been known to dump credentials.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

The Axiom group is known to have used RDP during operations.[1]

Software

ID Name References Techniques
S0021 Derusbi

[1]

Audio Capture, Command and Scripting Interpreter: Unix Shell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, Fallback Channels, File and Directory Discovery, Indicator Removal on Host: Timestomp, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Non-Application Layer Protocol, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Screen Capture, Signed Binary Proxy Execution: Regsvr32, System Information Discovery, System Owner/User Discovery, Video Capture
S0009 Hikit

[1]

Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Search Order Hijacking, Proxy: Internal Proxy, Rootkit, Subvert Trust Controls: Install Root Certificate
S0203 Hydraq

[1]

Access Token Manipulation, Create or Modify System Process: Windows Service, Data from Local System, Encrypted Channel: Symmetric Cryptography, Exfiltration Over Alternative Protocol, File and Directory Discovery, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, Shared Modules, System Information Discovery, System Network Configuration Discovery, System Service Discovery, System Services: Service Execution
S0412 ZxShell

[6]

Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Create or Modify System Process: Windows Service, Endpoint Denial of Service, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Network Service Scanning, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Query Registry, Remote Services: Remote Desktop Protocol, Remote Services: VNC, Screen Capture, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, System Service Discovery, Video Capture

References