APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [1] Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [2] [3] [4]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.[1][4] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
An APT19 HTTP malware variant establishes persistence by setting the Registry key |
Enterprise | T1059 | Command and Scripting Interpreter | ||
.001 | PowerShell | |||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
An APT19 Port 22 malware variant registers itself as a service.[4] |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.[4] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.[4] |
|
Enterprise | T1189 | Drive-by Compromise |
APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.[4] |
|
Enterprise | T1564 | .003 | Hide Artifacts: Hidden Window |
APT19 used |
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[4] |
Enterprise | T1112 | Modify Registry |
APT19 uses a Port 22 malware variant to modify several Registry keys.[4] |
|
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation | |
.013 | Obfuscated Files or Information: Encrypted/Encoded File | |||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT19 has obtained and used publicly-available tools like Empire.[6][1] |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.[1] |
Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
APT19 used Regsvr32 to bypass application control techniques.[1] |
.011 | System Binary Proxy Execution: Rundll32 |
APT19 configured its payload to inject into the rundll32.exe.[1] |
||
Enterprise | T1082 | System Information Discovery |
APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.[1][4] |
|
Enterprise | T1016 | System Network Configuration Discovery |
APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.[4] |
|
Enterprise | T1033 | System Owner/User Discovery |
APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.[4] |
|
Enterprise | T1204 | .002 | User Execution: Malicious File |
APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.[1] |