Group: APT3, Gothic Panda, ...
|APT3, Gothic Panda, ...|
|Aliases||APT3, Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110|
APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.12 This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.13 As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.4
- System Owner/User Discovery - An APT3 downloader uses the Windows command
"cmd.exe" /C whoamito verify that it is running with the elevated privileges of “System.”3
- Command-Line Interface - An APT3 downloader uses the Windows command
"cmd.exe" /C whoami.3 The group also uses a tool to execute commands on remote computers.4
- Scheduled Task - An APT3 downloader creates persistence by creating the following scheduled task:
schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".3
- Uncommonly Used Port - An APT3 downloader establishes SOCKS5 connections to two separate IP addresses over TCP port 1913 and TCP port 81.3
- Standard Non-Application Layer Protocol - An APT3 downloader establishes SOCKS5 connections for its initial C2.3
- Multi-Stage Channels - An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.3
- PowerShell - APT3 has used PowerShell on victim systems to download and run payloads after exploitation.3
- Scripting - APT3 has used PowerShell on victim systems to download and run payloads after exploitation.3
- System Network Configuration Discovery - A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.4 6
- Credential Dumping - APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig." The group has also used a tools to dump passwords from browsers.4
- Account Discovery - APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.4
- System Information Discovery - APT3 has a tool that can obtain information about the local system.4 6
- System Network Connections Discovery - APT3 has a tool that can enumerate current network connections.47 6
- Permission Groups Discovery - APT3 has a tool that can enumerate the permissions associated with Windows groups.4
- Exfiltration Over Command and Control Channel - APT3 has a tool that exfiltrates data over the C2 channel.7
- File and Directory Discovery - APT3 has a tool that looks for files and directories on the local file system.7 6
- Credentials in Files - APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome. 4
- Obfuscated Files or Information - APT3 obfuscates files or information to help evade defensive measures. 4
- DLL Side-Loading - APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools. 9
- Accessibility Features - APT3 replaces the Sticky Keys binary
C:\Windows\System32\sethc.exefor persistence. 8
- Valid Accounts - APT3 leverages valid accounts after gaining credentials for use within the victim domain.4
- Windows Admin Shares - APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement. 4
- Brute Force - APT3 has been known to brute force password hashes to be able to leverage plain text credentials.10
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved June 18, 2017.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016.
- Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
- Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
- valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
- Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
- Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.