APT18

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. [1]

ID: G0026
Version: 2.0

Associated Group Descriptions

NameDescription
TG-0416[5](Citation: Anomali Wekby July 2015)
Dynamite Panda[5](Citation: Anomali Wekby July 2015)
Threat Group-0416[5]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceAPT18 uses cmd.exe to execute commands on the victim’s machine.[2][3]
EnterpriseT1043Commonly Used PortAPT18 uses port 80 for C2 communications.[2][3]
EnterpriseT1133External Remote ServicesAPT18 actors leverage legitimate credentials to log into external remote services.[4]
EnterpriseT1083File and Directory DiscoveryAPT18 can list files information for specific directories.[2]
EnterpriseT1107File DeletionAPT18 actors deleted tools and batch files from victim systems.[1]
EnterpriseT1027Obfuscated Files or InformationAPT18 obfuscates strings in the payload.[2]
EnterpriseT1060Registry Run Keys / Startup FolderAPT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.[3][2]
EnterpriseT1105Remote File CopyAPT18 can upload a file to the victim’s machine.[2]
EnterpriseT1053Scheduled TaskAPT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.[1]
EnterpriseT1071Standard Application Layer ProtocolAPT18 uses HTTP and DNS for C2 communications.[2]
EnterpriseT1082System Information DiscoveryAPT18 can collect system information from the victim’s machine.[2]
EnterpriseT1078Valid AccountsAPT18 actors leverage legitimate credentials to log into external remote services.[4]

Software

IDNameReferencesTechniques
S0106cmd[1]Command-Line Interface, File and Directory Discovery, File Deletion, Remote File Copy, System Information Discovery
S0032gh0st RAT[4]Command-Line Interface, Commonly Used Port, DLL Side-Loading, File Deletion, Indicator Removal on Host, Input Capture, New Service, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Screen Capture, Standard Cryptographic Protocol
S0071hcdLoader[1][5]Command-Line Interface, New Service
S0070HTTPBrowser[4]Command-Line Interface, Commonly Used Port, DLL Search Order Hijacking, DLL Side-Loading, File and Directory Discovery, File Deletion, Input Capture, Masquerading, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol
S0124Pisloader[6]Command-Line Interface, Data Encoding, File and Directory Discovery, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery

References