APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.   This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.   As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. 
APT3 Adversary Emulation Plan - 
|APT3||  |
|Gothic Panda||  |
|UPS Team||  |
|Threat Group-0110|| |
|Enterprise||T1015||Accessibility Features||APT3 replaces the Sticky Keys binary |
|Enterprise||T1087||Account Discovery||APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.|
|Enterprise||T1098||Account Manipulation||APT3 has been known to add created accounts to local admin groups to maintain elevated access.|
|Enterprise||T1110||Brute Force||APT3 has been known to brute force password hashes to be able to leverage plain text credentials.|
|Enterprise||T1059||Command-Line Interface||An APT3 downloader uses the Windows command |
|Enterprise||T1043||Commonly Used Port||APT3 uses commonly used ports (like HTTPS/443) for command and control.|
|Enterprise||T1090||Connection Proxy||An APT3 downloader establishes SOCKS5 connections for its initial C2.|
|Enterprise||T1136||Create Account||APT3 has been known to create or enable accounts, such as |
|Enterprise||T1003||Credential Dumping||APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig." The group has also used a tools to dump passwords from browsers.|
|Enterprise||T1081||Credentials in Files||APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.|
|Enterprise||T1002||Data Compressed||APT3 has used tools to compress data before exfilling it.|
|Enterprise||T1005||Data from Local System||APT3 will identify Microsoft Office documents on the victim's computer.|
|Enterprise||T1074||Data Staged||APT3 has been known to stage files for exfiltration in a single location.|
|Enterprise||T1073||DLL Side-Loading||APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.|
|Enterprise||T1041||Exfiltration Over Command and Control Channel||APT3 has a tool that exfiltrates data over the C2 channel.|
|Enterprise||T1083||File and Directory Discovery||APT3 has a tool that looks for files and directories on the local file system.|
|Enterprise||T1107||File Deletion||APT3 has a tool that can delete files.|
|Enterprise||T1061||Graphical User Interface||APT3 has interacted with compromised systems to browse and copy files through its graphical user interface in Remote Desktop Protocol sessions.|
|Enterprise||T1066||Indicator Removal from Tools||APT3 has been known to remove indicators of compromise from tools.|
|Enterprise||T1056||Input Capture||APT3 has used a keylogging tool that records keystrokes in encrypted files.|
|Enterprise||T1104||Multi-Stage Channels||An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.|
|Enterprise||T1050||New Service||APT3 has a tool that creates a new service for persistence.|
|Enterprise||T1027||Obfuscated Files or Information||APT3 obfuscates files or information to help evade defensive measures.|
|Enterprise||T1069||Permission Groups Discovery||APT3 has a tool that can enumerate the permissions associated with Windows groups.|
|Enterprise||T1086||PowerShell||APT3 has used PowerShell on victim systems to download and run payloads after exploitation.|
|Enterprise||T1057||Process Discovery||APT3 has a tool that can list out currently running processes.|
|Enterprise||T1108||Redundant Access||APT3 has been known to use multiple backdoors per campaign.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||APT3 places scripts in the startup folder for persistence.|
|Enterprise||T1076||Remote Desktop Protocol||APT3 enables the Remote Desktop Protocol for persistence.|
|Enterprise||T1105||Remote File Copy||APT3 has a tool that can copy files to remote machines.|
|Enterprise||T1018||Remote System Discovery||APT3 has a tool that can detect the existence of remote systems.|
|Enterprise||T1085||Rundll32||APT3 has a tool that can run DLLs.|
|Enterprise||T1053||Scheduled Task||An APT3 downloader creates persistence by creating the following scheduled task: |
|Enterprise||T1064||Scripting||APT3 has used PowerShell on victim systems to download and run payloads after exploitation.|
|Enterprise||T1045||Software Packing||APT3 has been known to pack their tools.|
|Enterprise||T1095||Standard Non-Application Layer Protocol||An APT3 downloader establishes SOCKS5 connections for its initial C2.|
|Enterprise||T1082||System Information Discovery||APT3 has a tool that can obtain information about the local system.|
|Enterprise||T1016||System Network Configuration Discovery||A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.|
|Enterprise||T1049||System Network Connections Discovery||APT3 has a tool that can enumerate current network connections.|
|Enterprise||T1033||System Owner/User Discovery||An APT3 downloader uses the Windows command |
|Enterprise||T1065||Uncommonly Used Port||An APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.|
|Enterprise||T1078||Valid Accounts||APT3 leverages valid accounts after gaining credentials for use within the victim domain.|
|Enterprise||T1077||Windows Admin Shares||APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.|
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved June 18, 2017.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
- Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
- Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
- Glyer, C. (2018, April 14). @cglyer Status Update. Retrieved October 11, 2018.
- Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016.