Group: APT3, Gothic Panda, ...
|APT3, Gothic Panda, ...|
|Aliases||APT3, Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110|
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.12 This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.13 As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.4
- System Owner/User Discovery - An APT3 downloader uses the Windows command
"cmd.exe" /C whoamito verify that it is running with the elevated privileges of “System.”3
- Command-Line Interface - An APT3 downloader uses the Windows command
"cmd.exe" /C whoami.3 The group also uses a tool to execute commands on remote computers.4
- Scheduled Task - An APT3 downloader creates persistence by creating the following scheduled task:
schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".3
- Uncommonly Used Port - An APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.3
- Standard Non-Application Layer Protocol - An APT3 downloader establishes SOCKS5 connections for its initial C2.3
- Multi-Stage Channels - An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.3
- PowerShell - APT3 has used PowerShell on victim systems to download and run payloads after exploitation.3
- Scripting - APT3 has used PowerShell on victim systems to download and run payloads after exploitation.3
- System Network Configuration Discovery - A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.4
- Credential Dumping - APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig." The group has also used a tools to dump passwords from browsers.4
- Account Discovery - APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.4
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved June 18, 2017.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.