TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]

ID: G0062
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 1.1
Created: 18 April 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TA459 has used PowerShell for execution of a payload.[1]

.005 Command and Scripting Interpreter: Visual Basic

TA459 has a VBScript for execution.[1]

Enterprise T1203 Exploitation for Client Execution

TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.[1]

Enterprise T1204 .002 User Execution: Malicious File

TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.[1]

Software

ID Name References Techniques
S0032 gh0st RAT TA459 has used a Gh0st variant known as PCrat/Gh0st.[1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0033 NetTraveler [1] Application Window Discovery, Input Capture: Keylogging
S0013 PlugX [1] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0230 ZeroT [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Data Obfuscation: Steganography, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, System Information Discovery, System Network Configuration Discovery

References