APT5

APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.^[1]^[2]^[3]^[4]^[5]^[6]

ID: G1023

ⓘ

Associated Groups: Mulberry Typhoon, MANGANESE, BRONZE FLEETWOOD, Keyhole Panda, UNC2630

Contributors: @_montysecurity

Version: 1.0

Created: 05 February 2024

Last Modified: 14 March 2024

Associated Group Descriptions

Name	Description
Mulberry Typhoon	^[7]^[2]
MANGANESE	^[7]^[1]
BRONZE FLEETWOOD	^[8]
Keyhole Panda	^[7]^[8]
UNC2630	^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1554		主机软件二进制文件妥协	APT5 has modified legitimate binaries and scripts for Pulse Secure VPNs including the legitimate DSUpgrade.pm file to install the ATRIUM webshell for persistence.^[3]^[4]
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	APT5 has named exfiltration archives to mimic Windows Updates at times using filenames with a `KB<digits>.zip` pattern.^[4]
Enterprise	T1136	.001	创建账户: Local Account	APT5 has created Local Administrator accounts to maintain access to systems with short-cycle credential rotation.^[4]
Enterprise	T1190		利用公开应用程序漏洞	APT5 has exploited vulnerabilities in externally facing software and devices including Pulse Secure VPNs and Citrix Application Delivery Controllers.^[3]^[4]^[1] ^[2]
Enterprise	T1059	.001	命令与脚本解释器: PowerShell	APT5 has used PowerShell to accomplish tasks within targeted environments.^[4]
		.003	命令与脚本解释器: Windows Command Shell	APT5 has used cmd.exe for execution on compromised systems.^[4]
Enterprise	T1562	.006	妨碍防御: Indicator Blocking	APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to prevent certain log events from occurring.^[4]
Enterprise	T1560	.001	归档收集数据: Archive via Utility	APT5 has used the JAR/ZIP file format for exfiltrated files.^[4]
Enterprise	T1003	.001	操作系统凭证转储: LSASS Memory	APT5 has used the Task Manager process to target LSASS process memory in order to obtain NTLM password hashes. APT5 has also dumped clear text passwords and hashes from memory using Mimikatz hosted through an RDP mapped drive.^[4]
		.002	操作系统凭证转储: Security Account Manager	APT5 has copied and exfiltrated the SAM Registry hive from targeted systems.^[4]
Enterprise	T1074	.001	数据分段: Local Data Staging	APT5 has staged data on compromised systems prior to exfiltration often in `C:\Users\Public`.^[4]
Enterprise	T1083		文件和目录发现	APT5 has used the BLOODMINE utility to discover files with .css, .jpg, .png, .gif, .ico, .js, and .jsp extensions in Pulse Secure Connect logs.^[4]
Enterprise	T1654		日志枚举	APT5 has used the BLOODMINE utility to parse and extract information from Pulse Secure Connect logs.^[4]
Enterprise	T1078	.002	有效账户: Domain Accounts	APT5 has used legitimate account credentials to move laterally through compromised environments.^[3]
		.004	有效账户: Cloud Accounts	APT5 has accessed Microsoft M365 cloud environments using stolen credentials. ^[4]
Enterprise	T1505	.003	服务器软件组件: Web Shell	APT5 has installed multiple web shells on compromised servers including on Pulse Secure VPN appliances.^[3]^[4]
Enterprise	T1070		移除指标	APT5 has used the THINBLOOD utility to clear SSL VPN log files located at `/home/runtime/logs`.^[3]^[4]
		.003	Clear Command History	APT5 has cleared the command history on targeted ESXi servers.^[4]
		.004	File Deletion	APT5 has deleted scripts and web shells to evade detection.^[3]^[4]
		.006	Timestomp	APT5 has modified file timestamps.^[4]
Enterprise	T1049		系统网络连接发现	APT5 has used the BLOODMINE utility to collect data on web requests from Pulse Secure Connect logs.^[4]
Enterprise	T1098	.007	账号操控: Additional Local or Domain Groups	APT5 has created their own accounts with Local Administrator privileges to maintain access to systems with short-cycle credential rotation.^[4]
Enterprise	T1056	.001	输入捕获: Keylogging	APT5 has used malware with keylogging capabilities to monitor the communications of targeted entities.^[5]^[6]
Enterprise	T1057		进程发现	APT5 has used Windows-based utilities to carry out tasks including tasklist.exe. ^[4]
Enterprise	T1055		进程注入	APT5 has used the CLEANPULSE utility to insert command line strings into a targeted process to alter its functionality.^[4]
Enterprise	T1021	.001	远程服务: Remote Desktop Protocol	APT5 has moved laterally throughout victim environments using RDP.^[4]
		.004	远程服务: SSH	APT5 has used SSH for lateral movement in compromised environments including for enabling access to ESXi host servers.^[4]
Enterprise	T1053	.003	预定任务/作业: Cron	APT5 has made modifications to the crontab file including in `/var/cron/tabs/`.^[1]

Software

ID	Name	References	Techniques
S0032	gh0st RAT	^[8]	修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 动态解析: Fast Flux DNS, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 数据编码: Standard Encoding, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 非应用层协议
S0002	Mimikatz	^[4]	从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039	Net	^[4]	创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0104	netstat	^[4]	系统网络连接发现
S1109	PACEMAKER	^[3]	命令与脚本解释器: Unix Shell, 操作系统凭证转储: Proc Filesystem, 数据分段: Local Data Staging, 文件和目录发现, 自动化收集, 进程注入: Ptrace System Calls
S1050	PcShare	^[8]	事件触发执行: Component Object Model Hijacking, 从本地系统获取数据, 伪装: Match Legitimate Name or Location, 伪装: Invalid Code Signature, 修改注册表, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 本机API, 查询注册表, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统网络配置发现, 视频捕获, 输入捕获: Keylogging, 进程发现, 进程注入, 通过C2信道渗出
S0012	PoisonIvy	^[6]	Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection
S1108	PULSECHECK	^[3]	命令与脚本解释器: Unix Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 服务器软件组件: Web Shell
S1113	RAPIDPULSE	^[4]	从本地系统获取数据, 反混淆/解码文件或信息, 服务器软件组件: Web Shell, 混淆文件或信息: Encrypted/Encoded File
S0007	Skeleton Key	^[8]	修改身份验证过程: Domain Controller Authentication
S1110	SLIGHTPULSE	^[3]^[4]	从本地系统获取数据, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器, 应用层协议: Web Protocols, 数据分段: Local Data Staging, 数据编码: Standard Encoding, 服务器软件组件: Web Shell, 输入工具传输
S1104	SLOWPULSE	^[3]	主机软件二进制文件妥协, 修改身份验证过程: Network Device Authentication, 修改身份验证过程: Multi-Factor Authentication, 多因素身份验证拦截, 数据分段: Local Data Staging, 混淆文件或信息
S0057	Tasklist	^[4]	系统服务发现, 软件发现: Security Software Discovery, 进程发现

APT5

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References