TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]

ID: G0062
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.

Version: 1.0

Techniques Used

EnterpriseT1203Exploitation for Client ExecutionTA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.[1]
EnterpriseT1086PowerShellTA459 has used PowerShell for execution of a payload.[1]
EnterpriseT1064ScriptingTA459 has a VBScript for execution.[1]
EnterpriseT1193Spearphishing AttachmentTA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.[1]
EnterpriseT1204User ExecutionTA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.[1]


S0032gh0st RAT

TA459 has used a Gh0st variant known as PCrat/Gh0st.

Command-Line Interface, Commonly Used Port, DLL Side-Loading, File Deletion, Indicator Removal on Host, Input Capture, New Service, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Screen Capture, Standard Cryptographic Protocol
S0033NetTraveler[1]Application Window Discovery, Input Capture
S0013PlugX[1]Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Deobfuscate/Decode Files or Information, DLL Side-Loading, Execution through API, File and Directory Discovery, Input Capture, Masquerading, Modify Existing Service, Modify Registry, Multiband Communication, Network Share Discovery, New Service, Process Discovery, Query Registry, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Network Connections Discovery, Trusted Developer Utilities, Virtualization/Sandbox Evasion, Web Service
S0230ZeroT[1]Binary Padding, Bypass User Account Control, Data Obfuscation, Deobfuscate/Decode Files or Information, DLL Side-Loading, New Service, Obfuscated Files or Information, Remote File Copy, Software Packing, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery