menuPass

menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. [1] [2] [3] [4] [5] [6]

ID: G0045
Contributors: Edward Millington; Michael Cox

Version: 1.1

Associated Group Descriptions

NameDescription
Stone Panda[1] [9]
APT10[1] [9]
Red Apollo[4]
CVNX[4]
HOGFISH[9]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoverymenuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.[7]
EnterpriseT1059Command-Line InterfacemenuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.[4][7][8]
EnterpriseT1090Connection ProxymenuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.[5]
EnterpriseT1003Credential DumpingmenuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.[7][8]
EnterpriseT1002Data CompressedmenuPass has compressed files before exfiltration using TAR and RAR.[4][7]
EnterpriseT1022Data EncryptedmenuPass has encrypted files and information before exfiltration.[6]
EnterpriseT1005Data from Local SystemmenuPass has collected various files from the compromised computers. [6]
EnterpriseT1039Data from Network Shared DrivemenuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data.[4]
EnterpriseT1074Data StagedmenuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.[4]
EnterpriseT1140Deobfuscate/Decode Files or InformationmenuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.[9][10]
EnterpriseT1038DLL Search Order HijackingmenuPass has used DLL search order hijacking.[4]
EnterpriseT1073DLL Side-LoadingmenuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[7][10]
EnterpriseT1107File DeletionA menuPass macro deletes files after it has decoded and decompressed them.[9][6]
EnterpriseT1056Input CapturemenuPass has used key loggers to steal usernames and passwords.[6]
EnterpriseT1036MasqueradingmenuPass has been seen changing malicious files to appear legitimate. They have also renamed certutil and move it to a different location on system to avoid detection based on use of the tool.[6][10]
EnterpriseT1046Network Service ScanningmenuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.[7]
EnterpriseT1027Obfuscated Files or InformationmenuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.[9][10]
EnterpriseT1086PowerShellmenuPass uses PowerSploit to inject shellcode into PowerShell.[7]
EnterpriseT1093Process HollowingmenuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.[9]
EnterpriseT1076Remote Desktop ProtocolmenuPass has used RDP connections to move across the victim network.[4][6]
EnterpriseT1105Remote File CopymenuPass has installed updates and new malware on victims.[4][6]
EnterpriseT1021Remote ServicesmenuPass has used Putty Secure Copy Client (PSCP) to transfer data.[4]
EnterpriseT1018Remote System DiscoverymenuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command net view /domain to a PlugX implant to gather information about remote systems on the network.[7][5]
EnterpriseT1053Scheduled TaskmenuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.[7]
EnterpriseT1064ScriptingmenuPass has used malicious macros embedded inside Office documents to execute files.[9][10]
EnterpriseT1193Spearphishing AttachmentmenuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.[7][5][10][6]
EnterpriseT1016System Network Configuration DiscoverymenuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.[7]
EnterpriseT1049System Network Connections DiscoverymenuPass has used net use to conduct connectivity checks to machines.[4]
EnterpriseT1199Trusted RelationshipmenuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.[7][5]
EnterpriseT1204User ExecutionmenuPass has attempted to get victims to open malicious files sent via email as part of spearphishing campaigns.[7][5][9][6]
EnterpriseT1078Valid AccountsmenuPass has used valid accounts shared between Managed Service Providers and clients to move between the two environments.[4]
EnterpriseT1047Windows Management InstrumentationmenuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.[7][8]

Software

IDNameReferencesTechniques
S0160certutil[9][10]Deobfuscate/Decode Files or Information, Install Root Certificate, Remote File Copy
S0144ChChes[7]Code Signing, Credential Dumping, Custom Cryptographic Protocol, Disabling Security Tools, File and Directory Discovery, Masquerading, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery
S0106cmd[7]Command-Line Interface, File and Directory Discovery, File Deletion, Remote File Copy, System Information Discovery
S0152EvilGrab[7]Audio Capture, Commonly Used Port, Input Capture, Registry Run Keys / Startup Folder, Screen Capture, Video Capture
S0357Impacket[7]Credential Dumping, Kerberoasting, LLMNR/NBT-NS Poisoning and Relay, Network Sniffing, Service Execution, Windows Management Instrumentation
S0002Mimikatz[7]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039Net[7]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0097Ping[7][5]Remote System Discovery
S0013PlugX[7][5][6]Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Deobfuscate/Decode Files or Information, DLL Side-Loading, Execution through API, File and Directory Discovery, Input Capture, Masquerading, Modify Existing Service, Modify Registry, Multiband Communication, Network Share Discovery, New Service, Process Discovery, Query Registry, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Network Connections Discovery, Trusted Developer Utilities, Virtualization/Sandbox Evasion, Web Service
S0012PoisonIvy[7][6]Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0194PowerSploit[7]Access Token Manipulation, Account Discovery, Audio Capture, Credential Dumping, Credentials in Registry, Data from Local System, DLL Search Order Hijacking, Domain Trust Discovery, Indicator Removal from Tools, Input Capture, Kerberoasting, Modify Existing Service, Obfuscated Files or Information, Path Interception, PowerShell, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Security Support Provider, Windows Management Instrumentation
S0029PsExec[7][5]Service Execution, Windows Admin Shares
S0006pwdump[7]Credential Dumping
S0262QuasarRAT[6]Code Signing, Command-Line Interface, Connection Proxy, Credential Dumping, Credentials in Files, Input Capture, Masquerading, Modify Registry, Remote Desktop Protocol, Remote File Copy, Scheduled Task, Standard Cryptographic Protocol, System Information Discovery, Video Capture
S0153RedLeaves[7][6]Command-Line Interface, Commonly Used Port, Credential Dumping, Custom Command and Control Protocol, DLL Search Order Hijacking, File and Directory Discovery, File Deletion, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Shortcut Modification, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Uncommonly Used Port
S0159SNUGRIDE[5]Command-Line Interface, Registry Run Keys / Startup Folder, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0275UPPERCUT[10]Command-Line Interface, File and Directory Discovery, Remote File Copy, Screen Capture, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery

References