In this research document, we will focus on various tactics, techniques, and
procedures used by the major APT Threat groups which have access to
state-of-the-art simulation tools and techniques as well as linked to various
cyberterrorist groups and state actors.
Generally, APT groups depend on a certain set of unchanging tactics, but in
some cases, they adapt to different circumstances and alter the way they
perform their attacks. Therefore, the difficulty of detecting and attributing
the attack campaign depends on the tactics used to perform the attack.
Various Techniques and Software used to attack are mentioned below:
APT-C-36
APT-C-36 is a suspected South American espionage group that has been active
since at least 2018. The group mainly targets Colombian government
institutions as well as important corporations in the financial sector, the
petroleum industry, and professional manufacturing.
Techniques: Command and Scripting Interpreter: Visual Basic (embedded a
VBScript within a malicious Word document which is executed upon the document
opening), Ingress Tool Transfer (downloaded binary data from a specified
domain after the malicious document is opened), Masquerading: Masquerade Task
or Service disguised its scheduled tasks as those used by Google.
Software: Imminent Monitor (Audio Capture, Command and Scripting
Interpreter, Credentials from Password Stores: Credentials from Web Browsers,
Deobfuscate/Decode Files or Information, Exfiltration Over C2 Channel, File
and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Impair
Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion,
Input Capture: Keylogging, Native API, Obfuscated Files or Information,
Process Discovery, Remote Services: Remote Desktop Protocol, Resource
Hijacking, Video Capture)
APT-1
APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of
the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd
Department, commonly known by its Military Unit Cover Designator (MUCD) as
Unit 61398.
Techniques: Account Discovery: Local Account (used the commands net
localgroup, net user, and net group to find accounts on the system), Acquire
Infrastructure: Domains (has registered hundreds of domains for use in
operations), Command and Scripting Interpreter: Windows Command Shell (has
used the Windows command shell to execute commands, and batch scripting to
automate execution), Data from Local System(has collected files from a local
victim), Phishing: Spearphishing Attachment(sent spearphishing emails
containing malicious attachments), OS Credential Dumping: LSASS Memory(use
credential dumping using Mimikatz)
Software: BISCUIT (Command and Scripting Interpreter: Windows Command
Shell, Encrypted Channel: Asymmetric Cryptography, Fallback Channels, Ingress
Tool Transfer, Input Capture: Keylogging, Process Discovery, Screen Capture,
System Information Discovery, System Owner/User Discovery), Cachedump (OS
Credential Dumping: Cached Domain Credentials), ipconfig(System Network
Configuration Discovery)
APT28
APT28 is a threat group that has been attributed to Russia's General Staff
Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS)
military unit 26165. This group has been active since at least 2004. APT28
reportedly compromised the Hillary Clinton campaign, the Democratic National
Committee, and the Democratic Congressional Campaign Committee in 2016 in an
attempt to interfere with the U.S. presidential election.
Techniques: Access Token Manipulation: Token Impersonation/Theft(used
CVE-2015-1701 to access the SYSTEM token and copy it into the current process
as part of privilege escalation.), Acquire Infrastructure: Domains(registered
domains imitating NATO, OSCE security websites, Caucasus information
resources, and other organizations), Active Scanning: Vulnerability Scanning,
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Brute
Force, Phishing: Spearphishing Attachment.
Software: Cannon, certutil, CHOPSTICK, LoJax
APT33
APT33 is a suspected Iranian threat group that has carried out operations
since at least 2013. The group has targeted organizations across multiple
industries in the United States, Saudi Arabia, and South Korea, with a
particular interest in the aviation and energy sectors.
Techniques: Phishing: Spearphishing Attachment, Boot or Logon Autostart
Execution: Registry Run Keys / Startup Folder, Credentials from Password
Stores, Credentials from Web Browsers, Data Encoding: Standard Encoding,
Encrypted Channel: Symmetric Cryptography
Software: AutoIt backdoor, Empire, LaZagne, PowerSploit
APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been
active since at least 2012. The group has targeted victims primarily in South
Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania,
Kuwait, and other parts of the Middle East. APT37 has also been linked to the
following campaigns between 2016-2018: Operation Daybreak, Operation Erebus,
Golden Time, Evil New Year, Are you Happy? FreeMilk, North Korean Human
Rights, and Evil New Year 2018.
Technique: Abuse Elevation Control Mechanism: Bypass User Account
Control(function in the initial dropper to bypass Windows UAC in order to
execute the next payload with higher privileges), Audio Capture(used an audio
capturing utility known as SOUNDWAVE that captures microphone input), Disk
Wipe: Disk Structure Wipe, Steganography, Phishing: Spearphishing Attachment
Software: BLUELIGHT, Cobalt Strike, WINERACK
Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's
Federal Security Service (FSB) Center 16. Active since at least 2010,
Dragonfly has targeted defence and aviation companies, government entities,
companies related to industrial control systems, and critical infrastructure
sectors worldwide through supply chain, spearphishing, and drive-by compromise
attacks.
Technique: Account Discovery: Domain Account, Acquire Infrastructure:
Domains, Active Scanning: Vulnerability Scanning, Archive Collected Data,
Brute Force, Password Cracking, PowerShell, Create Account: Local Account,
Exploit Public-Facing Application, Exploitation of Remote Services
Software: Backdoor. Oldrea (Account Discovery: Email Account, Archive
Collected Data, Automated Collection, Boot or Logon Autostart Execution:
Registry Run Keys / Startup Folder, Credentials from Password Stores:
Credentials from Web Browsers), Impacket, Net, PsExec, Trojan.Karagany.
APT33
APT33 has targeted organizations, spanning multiple industries, headquartered
in the U.S., Saudi Arabia and South Korea. APT33 has shown particular interest
in organizations in the aviation sector involved in both military and
commercial capacities, as well as organizations in the energy sector with ties
to petrochemical production. Suspected attribution: Iran. Target
sectors: Aerospace, Energy
Associated malware: SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE,
ALFA Shell
Attack vectors: APT33 sent spear-phishing emails to employees whose
jobs related to the aviation industry. These emails included
recruitment-themed lures and contained links to malicious HTML application
(.hta) files. The .hta files contained job descriptions and links to
legitimate job postings on popular employment websites that would be relevant
to the targeted individuals.
APT32
Recent activity targeting private interests in Vietnam suggests that APT32
poses a threat to companies doing business, manufacturing or preparing to
invest in the country. While the specific motivation for this activity
remains opaque, it could ultimately erode the competitive advantage of
targeted organizations. Also known as OceanLotus Group. Suspected attribution: Vietnam. Target
sectors: Foreign companies investing in Vietnam’s manufacturing, consumer
products, consulting and hospitality sectors
Associated malware: SOUNDBITE, WINDSHIELD, PHOREAL, BEACON, KOMPROGO
Attack vectors: APT32 actors leverage ActiveMime files that employ
social engineering methods to entice the victim into enabling macros. Upon
execution, the initialized file typically downloads multiple malicious
payloads from a remote server. APT32 actors deliver malicious attachments via
spear phishing emails. Evidence has shown that some may have been sent via
Gmail.
You may check,
- Tactics, Techniques, and Procedures (TTPs) in Cybersecurity
- Tactics, Techniques, and Procedures (TTPs) - Organization Edition
We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.
No comments:
Post a Comment