1. Home
  2. Groups
  3. APT3

APT3

APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4]

ID: G0022
Associated Groups: Gothic Panda, Pirpi, UPS Team, Buckeye, Threat Group-0110, TG-0110
Contributors: Patrick Sungbahadoor
Version: 1.4
Created: 31 May 2017
Last Modified: 16 September 2024

Associated Group Descriptions

Name Description
Gothic Panda

[5] [2] [4]
Pirpi

[5]
UPS Team

[1] [2] [4]
Buckeye

[4]
Threat Group-0110

[2] [4]
TG-0110

[2] [4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .008 事件触发执行: Accessibility Features

APT3 replaces the Sticky Keys binary C:\Windows\System32\sethc.exe for persistence.[6]
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

APT3 has used tools to dump passwords from browsers.[4]
Enterprise T1005 从本地系统获取数据

APT3 will identify Microsoft Office documents on the victim's computer.[6]
Enterprise T1090 .002 代理: External Proxy

An APT3 downloader establishes SOCKS5 connections for its initial C2.[3]
Enterprise T1036 .010 伪装: Masquerade Account Name

APT3 has been known to create or enable accounts, such as support_388945a0.[6]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

APT3 has a tool that creates a new service for persistence.[3]
Enterprise T1136 .001 创建账户: Local Account

APT3 has been known to create or enable accounts, such as support_388945a0.[6]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.[7][8]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

APT3 places scripts in the startup folder for persistence.[3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

APT3 has used PowerShell on victim systems to download and run payloads after exploitation.[3]
.003 命令与脚本解释器: Windows Command Shell

An APT3 downloader uses the Windows command "cmd.exe" /C whoami. The group also uses a tool to execute commands on remote computers.[3][4]
Enterprise T1104 多阶段信道

An APT3 downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81.[3]
Enterprise T1203 客户端执行漏洞利用

APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776.[1][7]
Enterprise T1560 .001 归档收集数据: Archive via Utility

APT3 has used tools to compress data before exfilling it.[6]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument "dig."[4]
Enterprise T1074 .001 数据分段: Local Data Staging

APT3 has been known to stage files for exfiltration in a single location.[6]
Enterprise T1083 文件和目录发现

APT3 has a tool that looks for files and directories on the local file system.[7][9]
Enterprise T1110 .002 暴力破解: Password Cracking

APT3 has been known to brute force password hashes to be able to leverage plain text credentials.[10]
Enterprise T1078 .002 有效账户: Domain Accounts

APT3 leverages valid accounts after gaining credentials for use within the victim domain.[4]
Enterprise T1552 .001 未加密凭证: Credentials In Files

APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.[4]
Enterprise T1069 权限组发现

APT3 has a tool that can enumerate the permissions associated with Windows groups.[4]
Enterprise T1027 混淆文件或信息

APT3 obfuscates files or information to help evade defensive measures.[4]
.002 Software Packing

APT3 has been known to pack their tools.[10][1]

.005 Indicator Removal from Tools

APT3 has been known to remove indicators of compromise from tools.[10]
Enterprise T1204 .001 用户执行: Malicious Link

APT3 has lured victims into clicking malicious links delivered through spearphishing.[1]
Enterprise T1070 .004 移除指标: File Deletion

APT3 has a tool that can delete files.[7]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

APT3 has a tool that can run DLLs.[7]
Enterprise T1082 系统信息发现

APT3 has a tool that can obtain information about the local system.[4][9]
Enterprise T1033 系统所有者/用户发现

An APT3 downloader uses the Windows command "cmd.exe" /C whoami to verify that it is running with the elevated privileges of "System."[3]
Enterprise T1049 系统网络连接发现

APT3 has a tool that can enumerate current network connections.[4][7][9]
Enterprise T1016 系统网络配置发现

A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.[4][9]
Enterprise T1087 .001 账号发现: Local Account

APT3 has used a tool that can obtain info about local and global group users, power users, and administrators.[4]
Enterprise T1098 .007 账号操控: Additional Local or Domain Groups

APT3 has been known to add created accounts to local admin groups to maintain elevated access.[6]
Enterprise T1105 输入工具传输

APT3 has a tool that can copy files to remote machines.[7]
Enterprise T1056 .001 输入捕获: Keylogging

APT3 has used a keylogging tool that records keystrokes in encrypted files.[4]
Enterprise T1057 进程发现

APT3 has a tool that can list out currently running processes.[7][9]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

APT3 enables the Remote Desktop Protocol for persistence.[6] APT3 has also interacted with compromised systems to browse and copy files through RDP sessions.[11]
.002 远程服务: SMB/Windows Admin Shares

APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.[4]
Enterprise T1018 远程系统发现

APT3 has a tool that can detect the existence of remote systems.[4][7]
Enterprise T1041 通过C2信道渗出

APT3 has a tool that exfiltrates data over the C2 channel.[7]
Enterprise T1566 .002 钓鱼: Spearphishing Link

APT3 has sent spearphishing emails containing malicious links.[1]
Enterprise T1564 .003 隐藏伪装: Hidden Window

APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.[3]
Enterprise T1095 非应用层协议

An APT3 downloader establishes SOCKS5 connections for its initial C2.[3]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

An APT3 downloader creates persistence by creating the following scheduled task: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System".[3]

Software

ID Name References Techniques
S0349 LaZagne [4] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从密码存储中获取凭证: Keychain, 操作系统凭证转储: LSA Secrets, 操作系统凭证转储: /etc/passwd and /etc/shadow, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Cached Domain Credentials, 操作系统凭证转储: Proc Filesystem, 未加密凭证: Credentials In Files
S0165 OSInfo [4] 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 账号发现: Local Account, 账号发现: Domain Account, 远程系统发现
S0013 PlugX [8] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0166 RemoteCMD [4] 系统服务: Service Execution, 输入工具传输, 预定任务/作业: Scheduled Task
S0111 schtasks [3] 预定任务/作业: Scheduled Task
S0063 SHOTPUT [1] 文件和目录发现, 混淆文件或信息, 系统网络连接发现, 账号发现: Local Account, 进程发现, 远程系统发现

References

  1. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
  2. Insikt Group (Recorded Future). (2017, May 17). Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3. Retrieved September 16, 2024.
  3. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  4. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  5. Lancaster, T. (2015, July 25). A tale of Pirpi, Scanbox & CVE-2015-3113. Retrieved March 30, 2016.
  6. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  1. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  2. Scott, M.. (2014, June 10). Clandestine Fox, Part Deux. Retrieved January 14, 2016.
  3. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  4. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
  5. Glyer, C. (2018, April 14). @cglyer Status Update. Retrieved September 12, 2024.