Soft Cell

Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.[1]

ID: G0093
Contributors: Cybereason Nocturnus, @nocturnus
Version: 1.1
Created: 18 July 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Soft Cell used WinRAR to compress and encrypt stolen data prior to exfiltration.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Soft Cell used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Soft Cell used the Windows command shell to execute commands.[1]

Enterprise T1136 .002 Create Account: Domain Account

Soft Cell created rogue, high-privileged domain user accounts to maintain access across waves of a compromise.[1]

Enterprise T1005 Data from Local System

Soft Cell collected data from the victim's local system, including password hashes from the SAM hive in the Registry.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Soft Cell compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Soft Cell used Web shells and HTRAN for C2 as well as to exfiltrate data.[1]

Enterprise T1190 Exploit Public-Facing Application

Soft Cell exploited a publicly-facing server to gain access to the network.[1]

Enterprise T1133 External Remote Services

Soft Cell established VPN access into victim environments.[1]

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Soft Cell used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[1]

Enterprise T1105 Ingress Tool Transfer

Soft Cell dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[1]

Enterprise T1036 .003 Masquerading: Rename System Utilities

Soft Cell used a renamed cmd.exe file to evade detection.[1]

Enterprise T1027 Obfuscated Files or Information

Soft Cell used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[1]

.002 Software Packing

Soft Cell packed some payloads using different types of packers, both known and custom.[1]

.005 Indicator Removal from Tools

Soft Cell ensured each payload had a unique hash, including by using different types of packers.[1]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Soft Cell used reg commands to dump specific hives from the Windows Registry, such as the SAM hive, and obtain password hashes.[1]

.001 OS Credential Dumping: LSASS Memory

Soft Cell used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[1]

Enterprise T1090 .002 Proxy: External Proxy

Soft Cell used a modified version of HTRAN to redirect connections between networks.[1]

Enterprise T1018 Remote System Discovery

Soft Cell used a modified version of nbtscan to identify available NetBIOS name servers over the network as well as ping to identify remote systems.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Soft Cell established persistence for PoisonIvy by created a scheduled task.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

Soft Cell used Web shells to persist in victim environments and assist in execution and exfiltration.[1]

Enterprise T1016 System Network Configuration Discovery

Soft Cell used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of nbtscan to identify available NetBIOS name servers.[1]

Enterprise T1049 System Network Connections Discovery

Soft Cell used netstat -oan to obtain information about the victim network connections.[1]

Enterprise T1033 System Owner/User Discovery

Soft Cell used whoami and query user to obtain information about the victim user.[1]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Soft Cell used dumped hashes to authenticate to other machines via pass the hash.[1]

Enterprise T1078 Valid Accounts

Soft Cell leveraged valid accounts to maintain access to a victim network.[1]

Enterprise T1047 Windows Management Instrumentation

Soft Cell used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.[1]

Software

ID Name References Techniques
S0110 at

[1]

Scheduled Task/Job: At (Windows)
S0020 China Chopper

[1]

Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0106 cmd

[1]

Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Lateral Tool Transfer, System Information Discovery
S0040 HTRAN

[1]

Process Injection, Proxy, Rootkit
S0100 ipconfig

[1]

System Network Configuration Discovery
S0002 Mimikatz

[1]

Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0039 Net

[1]

Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0097 Ping

[1]

Remote System Discovery
S0013 PlugX

[1]

Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0012 PoisonIvy

[1]

Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0029 PsExec

[1]

Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0075 Reg

[1]

Modify Registry, Query Registry, Unsecured Credentials: Credentials in Registry

References