1. Home
  2. Groups
  3. ZIRCONIUM

ZIRCONIUM

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.[1][2]

ID: G0128
Associated Groups: APT31, Violet Typhoon
Version: 2.1
Created: 24 March 2021
Last Modified: 10 October 2024
Version Permalink

Associated Group Descriptions

Name Description
APT31

[2]
Violet Typhoon

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

ZIRCONIUM has purchased domains for use in targeted campaigns.[1]
.006 Acquire Infrastructure: Web Services

ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.[4][5]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ZIRCONIUM has created a Registry Run key named Dropbox Update Setup to establish persistence for a malicious Python binary.[5]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.[5]
.006 Command and Scripting Interpreter: Python

ZIRCONIUM has used Python-based implants to interact with compromised hosts.[4][5]
Enterprise T1584 .008 Compromise Infrastructure: Network Devices

ZIRCONIUM has compromised network devices such as small office and home office (SOHO) routers and IoT devices for ORB (operational relay box) Proxy networks.[6][7]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.[5]
Enterprise T1140 Deobfuscate/Decode Files or Information

ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.[2]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

ZIRCONIUM has used AES encrypted communications in C2.[5]
Enterprise T1041 Exfiltration Over C2 Channel

ZIRCONIUM has exfiltrated files via the Dropbox API C2.[5]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

ZIRCONIUM has exfiltrated stolen data to Dropbox.[5]
Enterprise T1068 Exploitation for Privilege Escalation

ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation.[2]
Enterprise T1105 Ingress Tool Transfer

ZIRCONIUM has used tools to download malicious files to compromised hosts.[5]
Enterprise T1036 Masquerading

ZIRCONIUM has spoofed legitimate applications in phishing lures and changed file extensions to conceal installation of malware.[4][5]
.004 Masquerade Task or Service

ZIRCONIUM has created a run key named Dropbox Update Setup to mask a persistence mechanism for a malicious binary.[5]
Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

ZIRCONIUM has used multi-stage packers for exploit code.[2]
Enterprise T1566 .002 Phishing: Spearphishing Link

ZIRCONIUM has used malicious links in e-mails to deliver malware.[1][4][5]
Enterprise T1598 Phishing for Information

ZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails.[4]
.003 Spearphishing Link

ZIRCONIUM has used web beacons in e-mails to track hits to attacker-controlled URL's.[1]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

ZIRCONIUM has utilized an ORB (operational relay box) network – consisting compromised devices such as small office and home office (SOHO) routers, IoT devices, and leased virtual private servers (VPS) – to proxy traffic.[7]

Enterprise T1012 Query Registry

ZIRCONIUM has used a tool to query the Registry for proxy settings.[5]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

ZIRCONIUM has used the msiexec.exe command-line utility to download and execute malicious MSI files.[5]
Enterprise T1082 System Information Discovery

ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.[5]
Enterprise T1016 System Network Configuration Discovery

ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.[5]
Enterprise T1033 System Owner/User Discovery

ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.[5]
Enterprise T1124 System Time Discovery

ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.[5]
Enterprise T1204 .001 User Execution: Malicious Link

ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.[4][5]
Enterprise T1102 .002 Web Service: Bidirectional Communication

ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.[4][5]

References

  1. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
  2. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.
  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  4. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
  1. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  2. Cimpanu, Catalin. (2021, July 20). Chinese hacking group APT31 uses mesh of home routers to disguise attacks. Retrieved July 8, 2024.
  3. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.