Group: APT3, Gothic Panda, ...

From enterprise
Jump to: navigation, search
APT3, Gothic Panda, ...
ID G0022
Aliases APT3, Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.12 This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.13 As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.4

APT3 Adversary Emulation Plan

Alias Descriptions

  • APT3 - 124
  • Gothic Panda - 524
  • Pirpi - 5
  • UPS Team - 124
  • Buckeye - 4
  • Threat Group-0110 - 24
  • TG-0110 - 24

Techniques Used

  • System Owner/User Discovery - An APT3 downloader uses the Windows command "cmd.exe" /C whoami to verify that it is running with the elevated privileges of “System.”3
  • Command-Line Interface - An APT3 downloader uses the Windows command "cmd.exe" /C whoami.3 The group also uses a tool to execute commands on remote computers.4
  • Scheduled Task - An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".3
  • Uncommonly Used Port - An APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.3
  • Multi-Stage Channels - An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.3
  • PowerShell - APT3 has used PowerShell on victim systems to download and run payloads after exploitation.3
  • Scripting - APT3 has used PowerShell on victim systems to download and run payloads after exploitation.3
  • Input Capture - APT3 has used a keylogging tool that records keystrokes in encrypted files.4
  • Credential Dumping - APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig." The group has also used a tools to dump passwords from browsers.4
  • Account Discovery - APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.4
  • Rundll32 - APT3 has a tool that can run DLLs.7
  • Credentials in Files - APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome. 4
  • Data Staged - APT3 has been known to stage files for exfiltration in a single location. 8
  • DLL Side-Loading - APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools. 9
  • New Service - APT3 has a tool that creates a new service for persistence. 3
  • Create Account - APT3 has been known to create or enable accounts, such as support_388945a0. 8
  • Valid Accounts - APT3 leverages valid accounts after gaining credentials for use within the victim domain.4
  • Windows Admin Shares - APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement. 4
  • Commonly Used Port - APT3 uses commonly used ports (like HTTPS/443) for command and control. 6
  • Brute Force - APT3 has been known to brute force password hashes to be able to leverage plain text credentials.10