APT17 is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. ^[1]

ID: G0025

Associated Groups: Deputy Dog

Version: 1.0

Created: 31 May 2017

Last Modified: 22 March 2019

Version Permalink

Live Version

Associated Group Descriptions

Name	Description
Deputy Dog	^[1]

Techniques Used

Domain	ID	Name	Use
PRE-ATT&CK	T1341	Build social network persona	APT17 posted in forum threads and created profile pages in Microsoft TechNet.^[1]
PRE-ATT&CK	T1342	Develop social network persona digital footprint	APT17 created biographical sections on TechNet profile pages to appear more legitimate.^[1]
PRE-ATT&CK	T1331	Obfuscate infrastructure	APT17 obfuscated infrastructure using a multi-layered malware beaconing approach. ^[1]

Software

ID	Name	References	Techniques
S0069	BLACKCOFFEE	^[1]	Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Multi-Stage Channels, Process Discovery, Web Service: Dead Drop Resolver, Web Service: Bidirectional Communication

References

FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.