JUST RELEASED: ATT&CK for Industrial Control Systems

APT41

APT41 is a group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity. APT41 has been active since as early as 2012. The group has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries.[1]

ID: G0096
Version: 1.0
Created: 23 September 2019
Last Modified: 14 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1015 Accessibility Features

APT41 leveraged sticky keys to establish persistence. [1]

Enterprise T1067 Bootkit

APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.[1]

Enterprise T1110 Brute Force

APT41 performed password brute-force attacks on the local admin account.[1]

Enterprise T1146 Clear Command History

APT41 attempted to remove evidence of some of its activity by deleting Bash histories.[1]

Enterprise T1116 Code Signing

APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.[1]

Enterprise T1059 Command-Line Interface

APT41 used cmd.exe /c to execute commands on remote machines.[1]

Enterprise T1223 Compiled HTML File

APT41 used compiled HTML (.chm) files for targeting. [1]

Enterprise T1090 Connection Proxy

APT41 used a tool called CLASSFON to covertly proxy network communications.[1]

Enterprise T1136 Create Account

APT41 created user accounts and adds them to the User and Admin groups. [1]

Enterprise T1003 Credential Dumping

APT41 used the Windows Credential Editor to dump password hashes from memory and authenticate other user accounts.[1]

Enterprise T1002 Data Compressed

APT41 created a RAR archive of targeted files for exfiltration.[1]

Enterprise T1486 Data Encrypted for Impact

APT41 used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.[1]

Enterprise T1073 DLL Side-Loading

APT41 used legitimate executables to perform DLL side-loading of their malware. [1]

Enterprise T1483 Domain Generation Algorithms

APT41 used DGA to change their C2 servers monthly.[1]

Enterprise T1203 Exploitation for Client Execution

APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396. [1]

Enterprise T1133 External Remote Services

APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.[1]

Enterprise T1008 Fallback Channels

APT41 used the Steam community page as a fallback mechanism for C2. [1]

Enterprise T1107 File Deletion

APT41 deleted files from the system. [1]

Enterprise T1070 Indicator Removal on Host

APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.[1]

Enterprise T1056 Input Capture

APT41 used a keylogger called GEARSHIFT on a target system.[1]

Enterprise T1036 Masquerading

APT41 attempted to masquerade their files as popular anti-virus software.[1]

Enterprise T1031 Modify Existing Service

APT41 modified legitimate Windows services to install malware backdoors.[1]

Enterprise T1112 Modify Registry

APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.[1]

Enterprise T1046 Network Service Scanning

APT41 used a malware variant called WIDETONE to conduct port scans on the specified subnets.[1]

Enterprise T1135 Network Share Discovery

APT41 used the net share command as part of network reconnaissance.[1]

Enterprise T1086 PowerShell

APT41 leveraged PowerShell to deploy malware families in victims’ environments.[1]

Enterprise T1055 Process Injection

APT41 malware TIDYELF loaded the main WINTERLOVE component by injecting it into the iexplore.exe process.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

APT41 created and modified startup files for persistence. [1]

Enterprise T1076 Remote Desktop Protocol

APT41 used RDP for lateral movement.[1]

Enterprise T1496 Resource Hijacking

APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment.[1]

Enterprise T1014 Rootkit

APT41 deployed rootkits on Linux systems.[1]

Enterprise T1053 Scheduled Task

APT41 used a compromised account to create a scheduled task on a system.[1]

Enterprise T1193 Spearphishing Attachment

APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.[1]

Enterprise T1071 Standard Application Layer Protocol

APT41 used DNS for C2 communications. [1]

Enterprise T1195 Supply Chain Compromise

APT41 gained access to production environments where they could inject malicious code into legitimate, signed files and widely distribute them to end users.[1]

Enterprise T1016 System Network Configuration Discovery

APT41 collected MAC addresses from victim machines. [1]

Enterprise T1049 System Network Connections Discovery

APT41 used the netstat command as part of network reconnaissance. The group has also used a malware variant, HIGHNOON, to enumerate active RDP sessions. [1]

Enterprise T1033 System Owner/User Discovery

APT41 used the WMIEXEC utility to execute whoami commands on remote machines.[1]

Enterprise T1078 Valid Accounts

APT41 used compromised credentials to log on to other systems.[1]

Enterprise T1102 Web Service

APT41 used legitimate websites for C2 through dead drop resolvers (DDR), including GitHub, Pastebin, and Microsoft TechNet.[1]

Enterprise T1047 Windows Management Instrumentation

APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit.[1]

Software

ID Name References Techniques
S0073 ASPXSpy [1] Web Shell
S0069 BLACKCOFFEE [1] Command-Line Interface, File and Directory Discovery, File Deletion, Multi-Stage Channels, Process Discovery, Web Service
S0020 China Chopper [1] Brute Force, Command-Line Interface, Data from Local System, File and Directory Discovery, Network Service Scanning, Remote File Copy, Scripting, Software Packing, Standard Application Layer Protocol, Timestomp, Web Shell
S0021 Derusbi [1] Audio Capture, Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Custom Cryptographic Protocol, Fallback Channels, File and Directory Discovery, File Deletion, Input Capture, Process Discovery, Process Injection, Query Registry, Regsvr32, Screen Capture, Standard Non-Application Layer Protocol, System Information Discovery, System Owner/User Discovery, Timestomp, Video Capture
S0032 gh0st RAT [1] Command-Line Interface, Commonly Used Port, DLL Side-Loading, File Deletion, Indicator Removal on Host, Input Capture, New Service, Process Discovery, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Screen Capture, Standard Cryptographic Protocol
S0002 Mimikatz [1] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0104 netstat [1] System Network Connections Discovery
S0385 njRAT [1] Application Window Discovery, Command-Line Interface, Credentials from Web Browsers, Custom Command and Control Protocol, Data Encoding, Data from Local System, Disabling Security Tools, File and Directory Discovery, File Deletion, Input Capture, Modify Registry, Peripheral Device Discovery, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Remote System Discovery, Replication Through Removable Media, Screen Capture, System Information Discovery, System Owner/User Discovery, Uncommonly Used Port, Video Capture
S0097 Ping

[1]

Remote System Discovery
S0013 PlugX [1] Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Deobfuscate/Decode Files or Information, DLL Side-Loading, Execution through API, File and Directory Discovery, Input Capture, Masquerading, Modify Existing Service, Modify Registry, Multiband Communication, Network Share Discovery, New Service, Process Discovery, Query Registry, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Network Connections Discovery, Trusted Developer Utilities, Virtualization/Sandbox Evasion, Web Service
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery, Audio Capture, Credential Dumping, Credentials in Registry, Data from Local System, DLL Search Order Hijacking, Domain Trust Discovery, Indicator Removal from Tools, Input Capture, Kerberoasting, Modify Existing Service, Obfuscated Files or Information, Path Interception, PowerShell, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Security Support Provider, Windows Management Instrumentation
S0006 pwdump [1] Credential Dumping
S0112 ROCKBOOT [1] Bootkit
S0412 ZxShell [1] Access Token Manipulation, Command-Line Interface, Commonly Used Port, Connection Proxy, Create Account, Disabling Security Tools, Endpoint Denial of Service, File and Directory Discovery, File Deletion, Hooking, Indicator Removal on Host, Input Capture, Network Service Scanning, New Service, Process Discovery, Process Injection, Query Registry, Remote Desktop Protocol, Remote File Copy, Remote Services, Rundll32, Screen Capture, Standard Application Layer Protocol, System Information Discovery, System Owner/User Discovery, System Service Discovery, Uncommonly Used Port, Video Capture

References