TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]

ID: G0062
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 1.1
Created: 18 April 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

TA459 has a VBScript for execution.[1]

.001 Command and Scripting Interpreter: PowerShell

TA459 has used PowerShell for execution of a payload.[1]

Enterprise T1203 Exploitation for Client Execution

TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.[1]

Enterprise T1204 .002 User Execution: Malicious File

TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.[1]

Software

ID Name References Techniques
S0032 gh0st RAT

TA459 has used a Gh0st variant known as PCrat/Gh0st.[1]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Commonly Used Port, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Process Discovery, Screen Capture, Signed Binary Proxy Execution: Rundll32
S0033 NetTraveler

[1]

Application Window Discovery, Input Capture: Keylogging
S0013 PlugX

[1]

Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0230 ZeroT

[1]

Abuse Elevation Control Mechanism: Bypass User Access Control, Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Data Obfuscation: Steganography, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, System Information Discovery, System Network Configuration Discovery

References