menuPass

menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. [1] [2] [3] [4] [5]

ID: G0045
Aliases: menuPass, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH
Contributors: Edward Millington; Michael Cox

Version: 1.0

Alias Descriptions

NameDescription
menuPass[1]
Stone Panda[1] [8]
APT10[1] [8]
Red Apollo[4]
CVNX[4]
HOGFISH[8]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoverymenuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.[6]
EnterpriseT1059Command-Line InterfacemenuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.[4][6][7]
EnterpriseT1090Connection ProxymenuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.[5]
EnterpriseT1003Credential DumpingmenuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.[6][7]
EnterpriseT1002Data CompressedmenuPass has compressed files before exfiltration using TAR and RAR.[4][6]
EnterpriseT1039Data from Network Shared DrivemenuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data.[4]
EnterpriseT1074Data StagedmenuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.[4]
EnterpriseT1140Deobfuscate/Decode Files or InformationmenuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.[8][9]
EnterpriseT1038DLL Search Order HijackingmenuPass has used DLL search order hijacking.[4]
EnterpriseT1073DLL Side-LoadingmenuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[6][9]
EnterpriseT1107File DeletionA menuPass macro deletes files after it has decoded and decompressed them.[8]
EnterpriseT1046Network Service ScanningmenuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.[6]
EnterpriseT1027Obfuscated Files or InformationmenuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.[8][9]
EnterpriseT1086PowerShellmenuPass uses PowerSploit to inject shellcode into PowerShell.[6]
EnterpriseT1093Process HollowingmenuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.[8]
EnterpriseT1076Remote Desktop ProtocolmenuPass has used RDP connections to move across the victim network.[4]
EnterpriseT1105Remote File CopymenuPass has installed updates and new malware on victims.[4]
EnterpriseT1021Remote ServicesmenuPass has used Putty Secure Copy Client (PSCP) to transfer data.[4]
EnterpriseT1018Remote System DiscoverymenuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command net view /domain to a PlugX implant to gather information about remote systems on the network.[6][5]
EnterpriseT1053Scheduled TaskmenuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.[6]
EnterpriseT1064ScriptingmenuPass has used malicious macros embedded inside Office documents to execute files.[8][9]
EnterpriseT1193Spearphishing AttachmentmenuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.[6][5][9]
EnterpriseT1016System Network Configuration DiscoverymenuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.[6]
EnterpriseT1049System Network Connections DiscoverymenuPass has used net use to conduct connectivity checks to machines.[4]
EnterpriseT1199Trusted RelationshipmenuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.[6][5]
EnterpriseT1204User ExecutionmenuPass has attempted to get victims to open malicious files sent via email as part of spearphishing campaigns.[6][5][8]
EnterpriseT1078Valid AccountsmenuPass has used valid accounts shared between Managed Service Providers and clients to move between the two environments.[4]
EnterpriseT1047Windows Management InstrumentationmenuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.[6][7]

Software

IDNameTechniques
S0160certutilDeobfuscate/Decode Files or Information, Install Root Certificate, Remote File Copy
S0144ChChesCode Signing, Credential Dumping, Custom Cryptographic Protocol, Disabling Security Tools, File and Directory Discovery, Masquerading, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery
S0106cmdCommand-Line Interface, File and Directory Discovery, File Deletion, Remote File Copy, System Information Discovery
S0152EvilGrabAudio Capture, Commonly Used Port, Input Capture, Registry Run Keys / Startup Folder, Screen Capture, Video Capture
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039NetAccount Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0097PingRemote System Discovery
S0013PlugXCommand-Line Interface, Commonly Used Port, Custom Command and Control Protocol, DLL Side-Loading, Execution through API, Masquerading, Multiband Communication, New Service, Query Registry, Registry Run Keys / Startup Folder, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, Trusted Developer Utilities, Web Service
S0012PoisonIvyApplication Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0194PowerSploitAccess Token Manipulation, Account Discovery, Audio Capture, Credential Dumping, Credentials in Registry, Data from Local System, DLL Search Order Hijacking, Indicator Removal from Tools, Input Capture, Kerberoasting, Modify Existing Service, Obfuscated Files or Information, Path Interception, PowerShell, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Security Support Provider, Windows Management Instrumentation
S0029PsExecService Execution, Windows Admin Shares
S0006pwdumpCredential Dumping
S0153RedLeavesCommand-Line Interface, Commonly Used Port, Credential Dumping, Custom Command and Control Protocol, DLL Search Order Hijacking, File and Directory Discovery, File Deletion, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Shortcut Modification, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Uncommonly Used Port
S0159SNUGRIDECommand-Line Interface, Registry Run Keys / Startup Folder, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0275UPPERCUTCommand-Line Interface, File and Directory Discovery, Remote File Copy, Screen Capture, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery

References