APT-C-36
Associated Group Descriptions
| Name | Description |
|---|---|
| Blind Eagle |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
APT-C-36 has disguised its scheduled tasks as those used by Google.[1] |
| Enterprise | T1059 | .005 | 命令与脚本解释器: Visual Basic |
APT-C-36 has embedded a VBScript within a malicious Word document which is executed upon the document opening.[1] |
| Enterprise | T1027 | 混淆文件或信息 |
APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.[1] |
|
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
APT-C-36 has prompted victims to accept macros in order to execute the subsequent payload.[1] |
| Enterprise | T1588 | .002 | 获取能力: Tool |
APT-C-36 obtained and used a modified variant of Imminent Monitor.[1] |
| Enterprise | T1105 | 输入工具传输 |
APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[1] |
|
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
APT-C-36 has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.[1] |
| Enterprise | T1571 | 非标准端口 | ||
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google.[1] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0434 | Imminent Monitor | [1] | 从密码存储中获取凭证: Credentials from Web Browsers, 反混淆/解码文件或信息, 命令与脚本解释器, 妨碍防御: Disable or Modify Tools, 文件和目录发现, 本机API, 混淆文件或信息, 移除指标: File Deletion, 视频捕获, 资源劫持: Compute Hijacking, 输入捕获: Keylogging, 进程发现, 远程服务: Remote Desktop Protocol, 通过C2信道渗出, 隐藏伪装: Hidden Files and Directories, 音频捕获 |