Operation Wocao

Operation Wocao described activities carried out by a China-based cyber espionage adversary. Operation Wocao targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. Operation Wocao used similar TTPs and tools to APT20, suggesting a possible overlap.[1]

ID: G0116
Contributors: Erik Schamper, @Schamperr, Fox-IT; Maarten van Dantzig, @MaartenVDantzig, Fox-IT
Version: 1.0
Created: 17 November 2020
Last Modified: 20 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Operation Wocao has used the net command to retrieve information about domain accounts.[1]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Operation Wocao has archived collected files with WinRAR, prior to exfiltration.[1]

Enterprise T1119 Automated Collection

Operation Wocao has used a script to collect information about the infected system.[1]

Enterprise T1115 Clipboard Data

Operation Wocao has collected clipboard data in plaintext.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Operation Wocao has used PowerShell on compromised systems.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Operation Wocao has spawned a new cmd.exe process to execute commands.[1]

.005 Command and Scripting Interpreter: Visual Basic

Operation Wocao has used a VBScript to conduct reconnaissance on targeted systems.[1]

.006 Command and Scripting Interpreter: Python

Operation Wocao's backdoors have been written in Python and compiled with py2exe.[1]

Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Operation Wocao has accessed and collected credentials from password managers.[1]

Enterprise T1005 Data from Local System

Operation Wocao has exfiltrated files and directories of interest from the targeted system.[1]

Enterprise T1001 Data Obfuscation

Operation Wocao has encrypted IP addresses used for "Agent" proxy hops with RC4.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

Operation Wocao has staged archived files in a temporary directory prior to exfiltration.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Operation Wocao's proxy implementation "Agent" can upgrade the socket in use to a TLS socket.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Operation Wocao has used the Xserver backdoor to exfiltrate data.[1]

Enterprise T1190 Exploit Public-Facing Application

Operation Wocao has gained initial access via vulnerable webservers.[1]

Enterprise T1133 External Remote Services

Operation Wocao has used stolen credentials to connect to the victim's network via VPN.[1]

Enterprise T1083 File and Directory Discovery

Operation Wocao has gathered a recursive directory listing to find files and directories of interest.[1]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Operation Wocao has used PowerShell to add and delete rules in the Windows firewall.[1]

Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

Operation Wocao has deleted Windows Event Logs to hinder forensic investigation.[1]

.004 Indicator Removal on Host: File Deletion

Operation Wocao has deleted logs and executable files used during an intrusion.[1]

Enterprise T1105 Ingress Tool Transfer

Operation Wocao can download additional files to the infected system.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Operation Wocao has obtained the password for the victim's password manager via a custom keylogger.[1]

Enterprise T1570 Lateral Tool Transfer

Operation Wocao has used SMB to copy files to and from target systems.[1]

Enterprise T1112 Modify Registry

Operation Wocao has enabled Wdigest by changing the registry value from 0 to 1.[1]

Enterprise T1106 Native API

Operation Wocao has used the CreateProcessA and ShellExecute API function to launch commands after being injected into a selected process.[1]

Enterprise T1046 Network Service Scanning

Operation Wocao has scanned for open ports and used nbtscan to find NETBIOS nameservers.[1]

Enterprise T1135 Network Share Discovery

Operation Wocao has discovered network disks mounted to the system using netstat.[1]

Enterprise T1095 Non-Application Layer Protocol

Operation Wocao has used a custom protocol for command and control.[1]

Enterprise T1027 Obfuscated Files or Information

Operation Wocao has executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.[1]

.005 Indicator Removal from Tools

Operation Wocao has edited variable names within the Impacket suite to avoid automated detection.[1]

Enterprise T1003 .006 OS Credential Dumping: DCSync

Operation Wocao has used Mimikatz's DCSync to dump credentials from the memory of the targeted system.[1]

.001 OS Credential Dumping: LSASS Memory

Operation Wocao has used ProcDump to dump credentials from memory.[1]

Enterprise T1120 Peripheral Device Discovery

Operation Wocao has discovered removable disks attached to a system.[1]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Operation Wocao has used the command net localgroup administrators to list all administrators part of a local group.[1]

Enterprise T1057 Process Discovery

Operation Wocao has collected a list of running processes on the infected system.[1]

Enterprise T1055 Process Injection

Operation Wocao has injected code into a selected process, which in turn launches a command as a child process of the original.[1]

Enterprise T1090 Proxy

Operation Wocao has used a custom proxy tool called "Agent" which has support for multiple hops.[1]

.001 Internal Proxy

Operation Wocao can proxy traffic through multiple infected systems.[1]

.003 Multi-hop Proxy

Operation Wocao has executed commands through the installed web shell via Tor exit nodes.[1]

Enterprise T1012 Query Registry

Operation Wocao has queried the registry to detect recent PuTTY sessions.[1]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Operation Wocao has used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.[1]

Enterprise T1018 Remote System Discovery

Operation Wocao can use the ping command to discover remote systems.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

Operation Wocao has used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.[1]

Enterprise T1518 Software Discovery

Operation Wocao has collected a list of installed software on the infected system.[1]

.001 Security Software Discovery

Operation Wocao has used scripts to detect security software.[1]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Operation Wocao has used PowerSploit's Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.[1]

Enterprise T1082 System Information Discovery

Operation Wocao has discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.[1]

Enterprise T1016 System Network Configuration Discovery

Operation Wocao has discovered the local network configuration with ipconfig.[1]

Enterprise T1049 System Network Connections Discovery

Operation Wocao has collected a list of open connections on the infected system using netstat and checks whether it has an internet connection.[1]

Enterprise T1033 System Owner/User Discovery

Operation Wocao has enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.[1]

Enterprise T1007 System Service Discovery

Operation Wocao has used the tasklist command to search for one of its backdoors.[1]

Enterprise T1569 .002 System Services: Service Execution

Operation Wocao has created services on remote systems for execution purposes.[1]

Enterprise T1124 System Time Discovery

Operation Wocao has used the time command to retrieve the current time of a compromised system.[1]

Enterprise T1111 Two-Factor Authentication Interception

Operation Wocao has used a custom collection method to intercept two-factor authentication soft tokens.[1]

Enterprise T1552 .004 Unsecured Credentials: Private Keys

Operation Wocao has used Mimikatz to dump certificates and private keys from the Windows certificate store.[1]

Enterprise T1078 Valid Accounts

Operation Wocao has used valid VPN credentials to gain initial access.[1]

.003 Local Accounts

Operation Wocao has used local account credentials found during the intrusion for lateral movement and privilege escalation.[1]

.002 Domain Accounts

Operation Wocao has used domain credentials, including domain admin, for lateral movement and privilege escalation.[1]

Enterprise T1047 Windows Management Instrumentation

Operation Wocao has used WMI to execute commands.[1]

Software

ID Name References Techniques
S0521 BloodHound [1] Account Discovery: Domain Account, Account Discovery: Local Account, Archive Collected Data, Command and Scripting Interpreter: PowerShell, Domain Trust Discovery, Native API, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote System Discovery, System Owner/User Discovery
S0105 dsquery [1] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups
S0357 Impacket [1] Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0104 netstat [1] System Network Connections Discovery
S0194 PowerSploit [1] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Input Capture: Keylogging, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: LSASS Memory, Path Interception, Process Discovery, Process Injection: Portable Executable Injection, Process Injection: Dynamic-link Library Injection, Query Registry, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation

References