Tactics, Techniques, and Procedures (TTPs) - APTs Edition

In this research document, we will focus on various tactics, techniques, and procedures used by the major APT Threat groups which have access to state-of-the-art simulation tools and techniques as well as linked to various cyberterrorist groups and state actors.

Generally, APT groups depend on a certain set of unchanging tactics, but in some cases, they adapt to different circumstances and alter the way they perform their attacks. Therefore, the difficulty of detecting and attributing the attack campaign depends on the tactics used to perform the attack. 

APT Groups are organizations that lead attacks on a country's information assets of national security or strategic economic importance through either cyberespionage or cybersabotage.

Various Techniques and Software used to attack are mentioned below:


APT-C-36 is a suspected South American espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, the petroleum industry, and professional manufacturing.

Techniques: Command and Scripting Interpreter: Visual Basic (embedded a VBScript within a malicious Word document which is executed upon the document opening), Ingress Tool Transfer (downloaded binary data from a specified domain after the malicious document is opened), Masquerading: Masquerade Task or Service disguised its scheduled tasks as those used by Google.

Software: Imminent Monitor (Audio Capture, Command and Scripting Interpreter, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Native API, Obfuscated Files or Information, Process Discovery, Remote Services: Remote Desktop Protocol, Resource Hijacking, Video Capture)


APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398.

Techniques: Account Discovery: Local Account (used the commands net localgroup, net user, and net group to find accounts on the system), Acquire Infrastructure: Domains (has registered hundreds of domains for use in operations), Command and Scripting Interpreter: Windows Command Shell (has used the Windows command shell to execute commands, and batch scripting to automate execution), Data from Local System(has collected files from a local victim), Phishing: Spearphishing Attachment(sent spearphishing emails containing malicious attachments), OS Credential Dumping: LSASS Memory(use credential dumping using Mimikatz)

Software: BISCUIT (Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Asymmetric Cryptography, Fallback Channels, Ingress Tool Transfer, Input Capture: Keylogging, Process Discovery, Screen Capture, System Information Discovery, System Owner/User Discovery), Cachedump (OS Credential Dumping: Cached Domain Credentials), ipconfig(System Network Configuration Discovery)


APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165. This group has been active since at least 2004. APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. 

Techniques: Access Token Manipulation: Token Impersonation/Theft(used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.), Acquire Infrastructure: Domains(registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations), Active Scanning: Vulnerability Scanning, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Brute Force, Phishing: Spearphishing Attachment.

Software: Cannon, certutil, CHOPSTICK, LoJax


APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.

Techniques: Phishing: Spearphishing Attachment, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Credentials from Password Stores, Credentials from Web Browsers, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography

Software: AutoIt backdoor, Empire, LaZagne, PowerSploit


APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy? FreeMilk, North Korean Human Rights, and Evil New Year 2018.

Technique: Abuse Elevation Control Mechanism: Bypass User Account Control(function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges), Audio Capture(used an audio capturing utility known as SOUNDWAVE that captures microphone input), Disk Wipe: Disk Structure Wipe, Steganography, Phishing: Spearphishing Attachment

Software: BLUELIGHT, Cobalt Strike, WINERACK


Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16. Active since at least 2010, Dragonfly has targeted defence and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.

Technique: Account Discovery: Domain Account, Acquire Infrastructure: Domains, Active Scanning: Vulnerability Scanning, Archive Collected Data, Brute Force, Password Cracking, PowerShell, Create Account: Local Account, Exploit Public-Facing Application, Exploitation of Remote Services

Software: Backdoor. Oldrea (Account Discovery: Email Account, Archive Collected Data, Automated Collection, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Credentials from Password Stores: Credentials from Web Browsers), Impacket, Net, PsExec, Trojan.Karagany.


APT33 has targeted organizations, spanning multiple industries, headquartered in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production. Suspected attribution: Iran. Target sectors: Aerospace, Energy


Attack vectors: APT33 sent spear-phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment-themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals.


Recent activity targeting private interests in Vietnam suggests that APT32 poses a threat to companies doing business, manufacturing or preparing to invest in the country. While the specific motivation for this activity remains opaque, it could ultimately erode the competitive advantage of targeted organizations. Also known as OceanLotus Group. Suspected attribution: Vietnam. Target sectors: Foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors


Attack vectors: APT32 actors leverage ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file typically downloads multiple malicious payloads from a remote server. APT32 actors deliver malicious attachments via spear phishing emails. Evidence has shown that some may have been sent via Gmail.

You may check, 

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment