Group: APT3, Gothic Panda, ...

From ATT&CK
Jump to: navigation, search
APT3, Gothic Panda, ...
Group
ID G0022
Aliases APT3, Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110

APT3 is a China-based threat group.1 This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.12 As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.3

Alias Descriptions

  • Gothic Panda - 4
  • Pirpi - 4

Techniques Used

  • System Owner/User Discovery - An APT3 downloader uses the Windows command "cmd.exe" /C whoami to verify that it is running with the elevated privileges of “System.”2
  • Command-Line Interface - An APT3 downloader uses the Windows command "cmd.exe" /C whoami.2 The group also uses a tool to execute commands on remote computers.3
  • Scheduled Task - An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".2
  • Uncommonly Used Port - An APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.2
  • Multi-Stage Channels - An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.2
  • PowerShell - APT3 has used PowerShell on victim systems to download and run payloads after exploitation.2
  • Scripting - APT3 has used PowerShell on victim systems to download and run payloads after exploitation.2
  • Input Capture - APT3 has used a keylogging tool that records keystrokes in encrypted files.3
  • Credential Dumping - APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig." The group has also used a tools to dump passwords from browsers.3
  • Account Discovery - APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.3

Software