Register to stream ATT&CKcon 2.0 October 29-30

Soft Cell

Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.[1]

ID: G0093
Contributors: Cybereason Nocturnus, @nocturnus
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Soft Cell used the Windows command shell to execute commands. [1]
Enterprise T1090 Connection Proxy Soft Cell used a modified version of HTRAN to redirect connections between networks. [1]
Enterprise T1136 Create Account Soft Cell created rogue, high-privileged domain user accounts to maintain access across waves of a compromise. [1]
Enterprise T1003 Credential Dumping Soft Cell used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines. [1]
Enterprise T1214 Credentials in Registry Soft Cell used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes. [1]
Enterprise T1002 Data Compressed Soft Cell used winrar to compress and encrypt stolen data prior to exfiltration. [1]
Enterprise T1022 Data Encrypted Soft Cell used winrar to compress and encrypt stolen data prior to exfiltration. [1]
Enterprise T1005 Data from Local System Soft Cell collected data from the victim's local system, including password hashes from the SAM hive in the Registry. [1]
Enterprise T1074 Data Staged Soft Cell compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration. [1]
Enterprise T1073 DLL Side-Loading Soft Cell used DLL side-loading to covertly load PoisonIvy into memory on the victim machine. [1]
Enterprise T1041 Exfiltration Over Command and Control Channel Soft Cell used Web shells and HTRAN for C2 as well as to exfiltrate data. [1]
Enterprise T1190 Exploit Public-Facing Application Soft Cell exploited a publicly-facing server to gain access to the network. [1]
Enterprise T1133 External Remote Services Soft Cell established VPN access into victim environments. [1]
Enterprise T1066 Indicator Removal from Tools Soft Cell ensured each payload had a unique hash, including by using different types of packers. [1]
Enterprise T1036 Masquerading Soft Cell used a renamed cmd.exe file to evade detection. [1]
Enterprise T1027 Obfuscated Files or Information Soft Cell used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection. [1]
Enterprise T1075 Pass the Hash Soft Cell used dumped hashes to authenticate to other machines via pass the hash. [1]
Enterprise T1086 PowerShell Soft Cell used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines. [1]
Enterprise T1105 Remote File Copy Soft Cell dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN. [1]
Enterprise T1018 Remote System Discovery Soft Cell used a modified version of nbtscan to identify available NetBIOS name servers over the network as well as ping to identify remote systems. [1]
Enterprise T1053 Scheduled Task Soft Cell established persistence for PoisonIvy by created a scheduled task. [1]
Enterprise T1045 Software Packing Soft Cell packed some payloads using different types of packers, both known and custom. [1]
Enterprise T1016 System Network Configuration Discovery Soft Cell used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of nbtscan to identify available NetBIOS name servers. [1]
Enterprise T1049 System Network Connections Discovery Soft Cell used netstat -oan to obtain information about the victim network connections. [1]
Enterprise T1033 System Owner/User Discovery Soft Cell used whoami and query user to obtain information about the victim user. [1]
Enterprise T1078 Valid Accounts Soft Cell leveraged valid accounts to maintain access to a victim network. [1]
Enterprise T1100 Web Shell Soft Cell used Web shells to persist in victim environments and assist in execution and exfiltration. [1]
Enterprise T1047 Windows Management Instrumentation Soft Cell used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets. [1]

Software

ID Name References Techniques
S0110 at [1] Scheduled Task
S0020 China Chopper [1] Brute Force, Command-Line Interface, Data from Local System, File and Directory Discovery, Network Service Scanning, Remote File Copy, Scripting, Software Packing, Standard Application Layer Protocol, Timestomp, Web Shell
S0106 cmd [1] Command-Line Interface, File and Directory Discovery, File Deletion, Remote File Copy, System Information Discovery
S0040 HTRAN [1] Connection Proxy, Process Injection, Rootkit
S0100 ipconfig [1] System Network Configuration Discovery
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039 Net [1] Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0097 Ping [1] Remote System Discovery
S0013 PlugX [1] Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Deobfuscate/Decode Files or Information, DLL Side-Loading, Execution through API, File and Directory Discovery, Input Capture, Masquerading, Modify Existing Service, Modify Registry, Multiband Communication, Network Share Discovery, New Service, Process Discovery, Query Registry, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Network Connections Discovery, Trusted Developer Utilities, Virtualization/Sandbox Evasion, Web Service
S0012 PoisonIvy [1] Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0029 PsExec [1] Service Execution, Windows Admin Shares
S0075 Reg [1] Credentials in Registry, Modify Registry, Query Registry

References