APT3

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. [1] [2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. [1] [3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. [4]

MITRE has also developed an APT3 Adversary Emulation Plan.[5]

ID: G0022
Version: 1.1

Associated Group Descriptions

NameDescription
Gothic Panda[11] [2] [4]
Pirpi[11]
UPS Team[1] [2] [4]
Buckeye[4]
Threat Group-0110[2] [4]
TG-0110[2] [4]

Techniques Used

DomainIDNameUse
EnterpriseT1015Accessibility FeaturesAPT3 replaces the Sticky Keys binary C:\Windows\System32\sethc.exe for persistence.[6]
EnterpriseT1087Account DiscoveryAPT3 has used a tool that can obtain info about local and global group users, power users, and administrators.[4]
EnterpriseT1098Account ManipulationAPT3 has been known to add created accounts to local admin groups to maintain elevated access.[6]
EnterpriseT1110Brute ForceAPT3 has been known to brute force password hashes to be able to leverage plain text credentials.[5]
EnterpriseT1059Command-Line InterfaceAn APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers.[3][4]
EnterpriseT1043Commonly Used PortAPT3 uses commonly used ports (like HTTPS/443) for command and control.[7]
EnterpriseT1090Connection ProxyAn APT3 downloader establishes SOCKS5 connections for its initial C2.[3]
EnterpriseT1136Create AccountAPT3 has been known to create or enable accounts, such as support_388945a0.[6]
EnterpriseT1003Credential DumpingAPT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig." The group has also used a tools to dump passwords from browsers.[4]
EnterpriseT1081Credentials in FilesAPT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[4]
EnterpriseT1002Data CompressedAPT3 has used tools to compress data before exfilling it.[6]
EnterpriseT1005Data from Local SystemAPT3 will identify Microsoft Office documents on the victim's computer.[6]
EnterpriseT1074Data StagedAPT3 has been known to stage files for exfiltration in a single location.[6]
EnterpriseT1073DLL Side-LoadingAPT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[8][9]
EnterpriseT1041Exfiltration Over Command and Control ChannelAPT3 has a tool that exfiltrates data over the C2 channel.[8]
EnterpriseT1083File and Directory DiscoveryAPT3 has a tool that looks for files and directories on the local file system.[8][7]
EnterpriseT1107File DeletionAPT3 has a tool that can delete files.[8]
EnterpriseT1061Graphical User InterfaceAPT3 has interacted with compromised systems to browse and copy files through its graphical user interface in Remote Desktop Protocol sessions.[10]
EnterpriseT1066Indicator Removal from ToolsAPT3 has been known to remove indicators of compromise from tools.[5]
EnterpriseT1056Input CaptureAPT3 has used a keylogging tool that records keystrokes in encrypted files.[4]
EnterpriseT1104Multi-Stage ChannelsAn APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.[3]
EnterpriseT1050New ServiceAPT3 has a tool that creates a new service for persistence.[3]
EnterpriseT1027Obfuscated Files or InformationAPT3 obfuscates files or information to help evade defensive measures.[4]
EnterpriseT1069Permission Groups DiscoveryAPT3 has a tool that can enumerate the permissions associated with Windows groups.[4]
EnterpriseT1086PowerShellAPT3 has used PowerShell on victim systems to download and run payloads after exploitation.[3]
EnterpriseT1057Process DiscoveryAPT3 has a tool that can list out currently running processes.[8][7]
EnterpriseT1108Redundant AccessAPT3 has been known to use multiple backdoors per campaign.[5]
EnterpriseT1060Registry Run Keys / Startup FolderAPT3 places scripts in the startup folder for persistence.[3]
EnterpriseT1076Remote Desktop ProtocolAPT3 enables the Remote Desktop Protocol for persistence.[6]
EnterpriseT1105Remote File CopyAPT3 has a tool that can copy files to remote machines.[8]
EnterpriseT1018Remote System DiscoveryAPT3 has a tool that can detect the existence of remote systems.[4][8]
EnterpriseT1085Rundll32APT3 has a tool that can run DLLs.[8]
EnterpriseT1053Scheduled TaskAn APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".[3]
EnterpriseT1064ScriptingAPT3 has used PowerShell on victim systems to download and run payloads after exploitation.[3]
EnterpriseT1045Software PackingAPT3 has been known to pack their tools.[5]
EnterpriseT1095Standard Non-Application Layer ProtocolAn APT3 downloader establishes SOCKS5 connections for its initial C2.[3]
EnterpriseT1082System Information DiscoveryAPT3 has a tool that can obtain information about the local system.[4][7]
EnterpriseT1016System Network Configuration DiscoveryA keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.[4][7]
EnterpriseT1049System Network Connections DiscoveryAPT3 has a tool that can enumerate current network connections.[4][8][7]
EnterpriseT1033System Owner/User DiscoveryAn APT3 downloader uses the Windows command "cmd.exe" /C whoami to verify that it is running with the elevated privileges of “System.”[3]
EnterpriseT1065Uncommonly Used PortAn APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.[3]
EnterpriseT1078Valid AccountsAPT3 leverages valid accounts after gaining credentials for use within the victim domain.[4]
EnterpriseT1077Windows Admin SharesAPT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.[4]

Software

IDNameReferencesTechniques
S0349LaZagne[4]Credential Dumping, Credentials in Files
S0165OSInfo[4]Account Discovery, Network Share Discovery, Permission Groups Discovery, Query Registry, Remote System Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery
S0013PlugX[9]Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Deobfuscate/Decode Files or Information, DLL Side-Loading, Execution through API, File and Directory Discovery, Input Capture, Masquerading, Modify Existing Service, Modify Registry, Multiband Communication, Network Share Discovery, New Service, Process Discovery, Query Registry, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Network Connections Discovery, Trusted Developer Utilities, Virtualization/Sandbox Evasion, Web Service
S0166RemoteCMD[4]Remote File Copy, Scheduled Task, Service Execution
S0111schtasks[3]Scheduled Task
S0063SHOTPUT[1]Account Discovery, File and Directory Discovery, Obfuscated Files or Information, Process Discovery, Remote System Discovery, System Network Connections Discovery

References