APT3

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security. [1] [2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. [1] [3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. [4]

MITRE has also developed an APT3 Adversary Emulation Plan.[5]

ID: G0022
Associated Groups: Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110
Version: 1.3
Created: 31 May 2017
Last Modified: 09 February 2021

Associated Group Descriptions

Name Description
Gothic Panda

[6] [2] [4]

Pirpi

[6]

UPS Team

[1] [2] [4]

Buckeye

[4]

Threat Group-0110

[2] [4]

TG-0110

[2] [4]

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.[4]

Enterprise T1098 Account Manipulation

APT3 has been known to add created accounts to local admin groups to maintain elevated access.[7]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT3 has used tools to compress data before exfilling it.[7]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT3 places scripts in the startup folder for persistence.[3]

Enterprise T1110 .002 Brute Force: Password Cracking

APT3 has been known to brute force password hashes to be able to leverage plain text credentials.[5]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

An APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers.[3][4]

.001 Command and Scripting Interpreter: PowerShell

APT3 has used PowerShell on victim systems to download and run payloads after exploitation.[3]

Enterprise T1136 .001 Create Account: Local Account

APT3 has been known to create or enable accounts, such as support_388945a0.[7]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

APT3 has a tool that creates a new service for persistence.[3]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT3 has used tools to dump passwords from browsers.[4]

Enterprise T1005 Data from Local System

APT3 will identify Microsoft Office documents on the victim's computer.[7]

Enterprise T1074 .001 Data Staged: Local Data Staging

APT3 has been known to stage files for exfiltration in a single location.[7]

Enterprise T1546 .008 Event Triggered Execution: Accessibility Features

APT3 replaces the Sticky Keys binary C:\Windows\System32\sethc.exe for persistence.[7]

Enterprise T1041 Exfiltration Over C2 Channel

APT3 has a tool that exfiltrates data over the C2 channel.[8]

Enterprise T1083 File and Directory Discovery

APT3 has a tool that looks for files and directories on the local file system.[8][9]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.[3]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[8][10]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

APT3 has a tool that can delete files.[8]

Enterprise T1105 Ingress Tool Transfer

APT3 has a tool that can copy files to remote machines.[8]

Enterprise T1056 .001 Input Capture: Keylogging

APT3 has used a keylogging tool that records keystrokes in encrypted files.[4]

Enterprise T1104 Multi-Stage Channels

An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.[3]

Enterprise T1095 Non-Application Layer Protocol

An APT3 downloader establishes SOCKS5 connections for its initial C2.[3]

Enterprise T1027 Obfuscated Files or Information

APT3 obfuscates files or information to help evade defensive measures.[4]

.002 Software Packing

APT3 has been known to pack their tools.[5]

.005 Indicator Removal from Tools

APT3 has been known to remove indicators of compromise from tools.[5]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."[4]

Enterprise T1069 Permission Groups Discovery

APT3 has a tool that can enumerate the permissions associated with Windows groups.[4]

Enterprise T1057 Process Discovery

APT3 has a tool that can list out currently running processes.[8][9]

Enterprise T1090 .002 Proxy: External Proxy

An APT3 downloader establishes SOCKS5 connections for its initial C2.[3]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

APT3 enables the Remote Desktop Protocol for persistence.[7] APT3 has also interacted with compromised systems to browse and copy files through RDP sessions.[11]

.002 Remote Services: SMB/Windows Admin Shares

APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.[4]

Enterprise T1018 Remote System Discovery

APT3 has a tool that can detect the existence of remote systems.[4][8]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".[3]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

APT3 has a tool that can run DLLs.[8]

Enterprise T1082 System Information Discovery

APT3 has a tool that can obtain information about the local system.[4][9]

Enterprise T1016 System Network Configuration Discovery

A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.[4][9]

Enterprise T1049 System Network Connections Discovery

APT3 has a tool that can enumerate current network connections.[4][8][9]

Enterprise T1033 System Owner/User Discovery

An APT3 downloader uses the Windows command "cmd.exe" /C whoami to verify that it is running with the elevated privileges of "System."[3]

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[4]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

APT3 leverages valid accounts after gaining credentials for use within the victim domain.[4]

Software

ID Name References Techniques
S0349 LaZagne [4] Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Keychain, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: /etc/passwd and /etc/shadow, Unsecured Credentials: Credentials In Files
S0165 OSInfo [4] Account Discovery: Domain Account, Account Discovery: Local Account, Network Share Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Query Registry, Remote System Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery
S0013 PlugX [10] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0166 RemoteCMD [4] Ingress Tool Transfer, Scheduled Task/Job: Scheduled Task, System Services: Service Execution
S0111 schtasks [3] Scheduled Task/Job: Scheduled Task
S0063 SHOTPUT [1] Account Discovery: Local Account, File and Directory Discovery, Obfuscated Files or Information, Process Discovery, Remote System Discovery, System Network Connections Discovery

References