Chimera

Chimera is a suspected China-based threat group, targeting the semiconductor industry in Taiwan since at least 2018.[1]

ID: G0114
Version: 1.0
Created: 24 August 2020
Last Modified: 05 October 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Chimera has has used net user /dom to enumerate domain accounts.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Chimera has used modified RAR software to archive data with a password.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Chimera has used PowerShell scripts to execute malicious payloads.[1]

Enterprise T1133 External Remote Services

Chimera has used legitimate credentials to login to an external VPN.[1]

Enterprise T1105 Ingress Tool Transfer

Chimera has remotely copied tools and malware onto targeted systems.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Chimera has renamed malware to GoogleUpdate.exe, impersonating legitimate Google filenames.[1]

Enterprise T1556 .001 Modify Authentication Process: Domain Controller Authentication

Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.[1]

Enterprise T1106 Native API

Chimera has used direct Windows system calls by leveraging Dumpert.[1]

Enterprise T1027 Obfuscated Files or Information

Chimera has encoded PowerShell commands.[1]

Enterprise T1003 .003 OS Credential Dumping: NTDS

Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Chimera has used RDP to access targeted systems.[1]

.002 Remote Services: SMB/Windows Admin Shares

Chimera has used Windows admin shares to move laterally.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Chimera has used scheduled tasks to invoke Cobalt Strike and maintain persistence.[1]

Enterprise T1078 Valid Accounts

Chimera has used a valid account to maintain persistence via scheduled task.[1]

Enterprise T1102 Web Service

Chimera has used Google Cloud's appspot service to host C2 servers.[1]

Enterprise T1047 Windows Management Instrumentation

Chimera has used WMIC to execute remote commands.[1]

Software

ID Name References Techniques
S0154 Cobalt Strike [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Exploitation for Privilege Escalation, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Man in the Browser, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Protocol Tunneling, Proxy: Internal Proxy, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, System Network Configuration Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket

References