menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

ID: G0045
Associated Groups: Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH
Contributors: Edward Millington; Michael Cox
Version: 2.0
Created: 31 May 2017
Last Modified: 09 April 2021

Associated Group Descriptions

Name Description
Cicada

[8]

POTASSIUM

[1][2]

Stone Panda

[3][9][1][2][8]

APT10

[3][9][10][1][8]

Red Apollo

[6][1][2]

CVNX

[6][1][2]

HOGFISH

[9]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.[11]

Enterprise T1583 .001 Acquire Infrastructure: Domains

menuPass has registered malicious domains for use in intrusion campaigns.[1][2]

Enterprise T1560 Archive Collected Data

menuPass has encrypted files and information before exfiltration.[1][2]

.001 Archive via Utility

menuPass has compressed files before exfiltration using TAR and RAR.[6][11][8]

Enterprise T1119 Automated Collection

menuPass has used the Csvde tool to collect Active Directory files and data.[8]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

menuPass uses PowerSploit to inject shellcode into PowerShell.[11][8]

.003 Command and Scripting Interpreter: Windows Command Shell

menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.[6][11][12][10] menuPass has used malicious macros embedded inside Office documents to execute files.[9][10]

Enterprise T1005 Data from Local System

menuPass has collected various files from the compromised computers.[1][8]

Enterprise T1039 Data from Network Shared Drive

menuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data.[6]

Enterprise T1074 .001 Data Staged: Local Data Staging

menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.[6]

.002 Data Staged: Remote Data Staging

menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.[6][8]

Enterprise T1140 Deobfuscate/Decode Files or Information

menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.[9][10]

Enterprise T1568 .001 Dynamic Resolution: Fast Flux DNS

menuPass has used dynamic DNS service providers to host malicious domains.[2]

Enterprise T1210 Exploitation of Remote Services

menuPass has used tools to exploit the ZeroLogon vulnerability (CVE-2020-1472).[8]

Enterprise T1083 File and Directory Discovery

menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.[8]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

menuPass has used DLL search order hijacking.[6]

.002 Hijack Execution Flow: DLL Side-Loading

menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[11][10][8]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

A menuPass macro deletes files after it has decoded and decompressed them.[9][2]

Enterprise T1105 Ingress Tool Transfer

menuPass has installed updates and new malware on victims.[6][2]

Enterprise T1056 .001 Input Capture: Keylogging

menuPass has used key loggers to steal usernames and passwords.[2]

Enterprise T1036 Masquerading

menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files.[10]

.003 Rename System Utilities

menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.[10]

.005 Match Legitimate Name or Location

menuPass has been seen changing malicious files to appear legitimate.[2]

Enterprise T1106 Native API

menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.[8]

Enterprise T1046 Network Service Scanning

menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.[11]

Enterprise T1027 Obfuscated Files or Information

menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.[9][10][8]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.[11][12]

.003 OS Credential Dumping: NTDS

menuPass has used Ntdsutil to dump credentials.[8]

.004 OS Credential Dumping: LSA Secrets

menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.[11][12]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.[11][7][10][2]

Enterprise T1055 .012 Process Injection: Process Hollowing

menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.[9]

Enterprise T1090 .002 Proxy: External Proxy

menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.[7][10]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

menuPass has used RDP connections to move across the victim network.[6][2]

.004 Remote Services: SSH

menuPass has used Putty Secure Copy Client (PSCP) to transfer data.[6]

Enterprise T1018 Remote System Discovery

menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command net view /domain to a PlugX implant to gather information about remote systems on the network.[11][7]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.[11]

Enterprise T1218 .004 Signed Binary Proxy Execution: InstallUtil

menuPass has used InstallUtil.exe to execute malicious software.[11]

Enterprise T1016 System Network Configuration Discovery

menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.[11]

Enterprise T1049 System Network Connections Discovery

menuPass has used net use to conduct connectivity checks to machines.[6]

Enterprise T1199 Trusted Relationship

menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.[11][7][8][1][2]

Enterprise T1204 .002 User Execution: Malicious File

menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.[11][7][9][10][2]

Enterprise T1078 Valid Accounts

menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments.[6][8][2]

Enterprise T1047 Windows Management Instrumentation

menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.[11][12][8]

Software

ID Name References Techniques
S0552 AdFind [8] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0160 certutil [9][10][8] Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0144 ChChes [11] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Process Discovery, Subvert Trust Controls: Code Signing, System Information Discovery
S0106 cmd [11] Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S0404 esentutl [10] Hide Artifacts: NTFS File Attributes, Ingress Tool Transfer, Lateral Tool Transfer, OS Credential Dumping: NTDS
S0152 EvilGrab [11] Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Commonly Used Port, Input Capture: Keylogging, Screen Capture, Video Capture
S0357 Impacket [11] Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0002 Mimikatz [11] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net [11] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0097 Ping [11][7] Remote System Discovery
S0013 PlugX [11][7][1] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012 PoisonIvy [11][2] Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0194 PowerSploit [11] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Input Capture: Keylogging, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: LSASS Memory, Path Interception, Process Discovery, Process Injection: Portable Executable Injection, Process Injection: Dynamic-link Library Injection, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0029 PsExec [11][7] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0006 pwdump [11] OS Credential Dumping: Security Account Manager
S0262 QuasarRAT [1][8] Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Proxy, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Subvert Trust Controls: Code Signing, System Information Discovery, Unsecured Credentials: Credentials In Files, Video Capture
S0153 RedLeaves [11][1] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Credentials from Password Stores: Credentials from Web Browsers, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Non-Standard Port, Obfuscated Files or Information, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery
S0159 SNUGRIDE [7] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography
S0275 UPPERCUT [10] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Time Discovery

References