Group: APT1, Comment Crew, ...

From ATT&CK
Jump to: navigation, search
APT1, Comment Crew, ...
Group
ID G0006
Aliases APT1, Comment Crew, Comment Group, Comment Panda

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.1

Alias Descriptions

  • Comment Panda - 2

Techniques Used

  • Masquerading - The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by APT1 as a name for malware.3
  • Email Collection - APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files, and MAPIGET steals email still on Exchange servers that has not yet been archived.1
  • Scripting - APT1 has used batch scripting to automate execution of commands.1
  • Data Compressed - APT1 has used RAR to compress files before moving them outside of the victim network.1

Software