menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university.     
|Stone Panda|| |
|Enterprise||T1087||Account Discovery||menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.|
|Enterprise||T1059||Command-Line Interface||menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.|
|Enterprise||T1090||Connection Proxy||menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.|
|Enterprise||T1003||Credential Dumping||menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.|
|Enterprise||T1002||Data Compressed||menuPass has compressed files before exfiltration using TAR and RAR.|
|Enterprise||T1039||Data from Network Shared Drive||menuPass has collected data from remote systems by mounting network shares with |
|Enterprise||T1074||Data Staged||menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has used |
|Enterprise||T1038||DLL Search Order Hijacking||menuPass has used DLL search order hijacking.|
|Enterprise||T1073||DLL Side-Loading||menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.|
|Enterprise||T1107||File Deletion||A menuPass macro deletes files after it has decoded and decompressed them.|
|Enterprise||T1046||Network Service Scanning||menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.|
|Enterprise||T1027||Obfuscated Files or Information||menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.|
|Enterprise||T1086||PowerShell||menuPass uses PowerSploit to inject shellcode into PowerShell.|
|Enterprise||T1093||Process Hollowing||menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.|
|Enterprise||T1076||Remote Desktop Protocol||menuPass has used RDP connections to move across the victim network.|
|Enterprise||T1105||Remote File Copy||menuPass has installed updates and new malware on victims.|
|Enterprise||T1021||Remote Services||menuPass has used Putty Secure Copy Client (PSCP) to transfer data.|
|Enterprise||T1018||Remote System Discovery||menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command |
|Enterprise||T1053||Scheduled Task||menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.|
|Enterprise||T1064||Scripting||menuPass has used malicious macros embedded inside Office documents to execute files.|
|Enterprise||T1193||Spearphishing Attachment||menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.|
|Enterprise||T1016||System Network Configuration Discovery||menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.|
|Enterprise||T1049||System Network Connections Discovery||menuPass has used |
|Enterprise||T1199||Trusted Relationship||menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.|
|Enterprise||T1204||User Execution||menuPass has attempted to get victims to open malicious files sent via email as part of spearphishing campaigns.|
|Enterprise||T1078||Valid Accounts||menuPass has used valid accounts shared between Managed Service Providers and clients to move between the two environments.|
|Enterprise||T1047||Windows Management Instrumentation||menuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.|
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.
- FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
- Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.