1. Home
  2. Campaigns
  3. Operation Wocao

Operation Wocao

Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.[1]

Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.[1]

ID: C0014
First Seen:  December 2017 [1]
Last Seen:  December 2019 [1]
Contributors: Erik Schamper, @Schamperr, Fox-IT; Maarten van Dantzig, @MaartenVDantzig, Fox-IT
Version: 1.1
Created: 27 September 2022
Last Modified: 22 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

During Operation Wocao, threat actors has used WMI to execute commands.[1]
Enterprise T1555 .005 从密码存储中获取凭证: Password Managers

During Operation Wocao, threat actors accessed and collected credentials from password managers.[1]
Enterprise T1005 从本地系统获取数据

During Operation Wocao, threat actors exfiltrated files and directories of interest from the targeted system.[1]
Enterprise T1090 代理

During Operation Wocao, threat actors used a custom proxy tool called "Agent" which has support for multiple hops.[1]
.001 Internal Proxy

During Operation Wocao, threat actors proxied traffic through multiple infected systems.[1]
.003 Multi-hop Proxy

During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes.[1]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs.[1]
Enterprise T1112 修改注册表

During Operation Wocao, the threat actors enabled Wdigest by changing the HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest registry value from 0 (disabled) to 1 (enabled).[1]
Enterprise T1190 利用公开应用程序漏洞

During Operation Wocao, threat actors gained initial access by exploiting vulnerabilities in JBoss webservers.[1]
Enterprise T1115 剪贴板数据

During Operation Wocao, threat actors collected clipboard data in plaintext.[1]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

During Operation Wocao, threat actors' proxy implementation "Agent" upgraded the socket in use to a TLS socket.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

During Operation Wocao, threat actors used PowerShell on compromised systems.[1]
.003 命令与脚本解释器: Windows Command Shell

During Operation Wocao, threat actors spawned a new cmd.exe process to execute commands.[1]

.005 命令与脚本解释器: Visual Basic

During Operation Wocao, threat actors used VBScript to conduct reconnaissance on targeted systems.[1]
.006 命令与脚本解释器: Python

During Operation Wocao, threat actors' backdoors were written in Python and compiled with py2exe.[1]
Enterprise T1120 外围设备发现

During Operation Wocao, threat actors discovered removable disks attached to a system.[1]
Enterprise T1133 外部远程服务

During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN.[1]
Enterprise T1111 多因素身份验证拦截

During Operation Wocao, threat actors used a custom collection method to intercept two-factor authentication soft tokens.[1]
Enterprise T1562 .004 妨碍防御: Disable or Modify System Firewall

During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

During Operation Wocao, threat actors’ XServer tool communicated using HTTP and HTTPS.[1]
Enterprise T1585 .002 建立账户: Email Accounts

For Operation Wocao, the threat actors registered email accounts to use during the campaign.[1]
Enterprise T1587 .001 开发能力: Malware

During Operation Wocao, threat actors developed their own custom webshells to upload to compromised servers.[1]
Enterprise T1560 .001 归档收集数据: Archive via Utility

During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration.[1]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

During Operation Wocao, threat actors used ProcDump to dump credentials from memory.[1]
.006 操作系统凭证转储: DCSync

During Operation Wocao, threat actors used Mimikatz's DCSync to dump credentials from the memory of the targeted system.[1]

Enterprise T1589 收集受害者身份信息

During Operation Wocao, threat actors targeted people based on their organizational roles and privileges.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration.[1]

Enterprise T1001 数据混淆

During Operation Wocao, threat actors encrypted IP addresses used for "Agent" proxy hops with RC4.[1]
Enterprise T1083 文件和目录发现

During Operation Wocao, threat actors gathered a recursive directory listing to find files and directories of interest.[1]
Enterprise T1078 有效账户

During Operation Wocao, threat actors used valid VPN credentials to gain initial access.[1]
.002 Domain Accounts

During Operation Wocao, threat actors used domain credentials, including domain admin, for lateral movement and privilege escalation.[1]
.003 Local Accounts

During Operation Wocao, threat actors used local account credentials found during the intrusion for lateral movement and privilege escalation.[1]
Enterprise T1505 .003 服务器软件组件: Web Shell

During Operation Wocao, threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.[1]
Enterprise T1552 .004 未加密凭证: Private Keys

During Operation Wocao, threat actors used Mimikatz to dump certificates and private keys from the Windows certificate store.[1]
Enterprise T1106 本机API

During Operation Wocao, threat actors used the CreateProcessA and ShellExecute API functions to launch commands after being injected into a selected process.[1]
Enterprise T1069 .001 权限组发现: Local Groups

During Operation Wocao, threat actors used the command net localgroup administrators to list all administrators part of a local group.[1]
Enterprise T1012 查询注册表

During Operation Wocao, the threat actors executed /c cd /d c:\windows\temp\ & reg query HKEY_CURRENT_USER\Software\<username>\PuTTY\Sessions\ to detect recent PuTTY sessions, likely to further lateral movement.[1]
Enterprise T1570 横向工具传输

During Operation Wocao, threat actors used SMB to copy files to and from target systems.[1]
Enterprise T1027 .005 混淆文件或信息: Indicator Removal from Tools

During Operation Wocao, threat actors edited variable names within the Impacket suite to avoid automated detection.[1]
.010 混淆文件或信息: Command Obfuscation

During Operation Wocao, threat actors executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.[1]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

During Operation Wocao, the threat actors deleted all Windows system and security event logs using /Q /c wevtutil cl system and /Q /c wevtutil cl security.[1]
.004 移除指标: File Deletion

During Operation Wocao, the threat actors consistently removed traces of their activity by first overwriting a file using /c cd /d c:\windows\temp\ & copy \\<IP ADDRESS>\c$\windows\system32\devmgr.dll \\<IP ADDRESS>\c$\windows\temp\LMAKSW.ps1 /y and then deleting the overwritten file using /c cd /d c:\windows\temp\ & del \\<IP ADDRESS>\c$\windows\temp\LMAKSW.ps1.[1]
Enterprise T1558 .003 窃取或伪造Kerberos票据: Kerberoasting

During Operation Wocao, threat actors used PowerSploit's Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.[1]
Enterprise T1082 系统信息发现

During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.[1]
Enterprise T1033 系统所有者/用户发现

During Operation Wocao, threat actors enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.[1]
Enterprise T1124 系统时间发现

During Operation Wocao, threat actors used the time command to retrieve the current time of a compromised system.[1]
Enterprise T1569 .002 系统服务: Service Execution

During Operation Wocao, threat actors created services on remote systems for execution purposes.[1]
Enterprise T1007 系统服务发现

During Operation Wocao, threat actors used the tasklist command to search for one of its backdoors.[1]
Enterprise T1049 系统网络连接发现

During Operation Wocao, threat actors collected a list of open connections on the infected system using netstat and checks whether it has an internet connection.[1]
Enterprise T1016 系统网络配置发现

During Operation Wocao, threat actors discovered the local network configuration with ipconfig.[1]
.001 Internet Connection Discovery

During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.[1]
Enterprise T1135 网络共享发现

During Operation Wocao, threat actors discovered network disks mounted to the system using netstat.[1]
Enterprise T1046 网络服务发现

During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers.[1]
Enterprise T1119 自动化收集

During Operation Wocao, threat actors used a script to collect information about the infected system.[1]
Enterprise T1583 .004 获取基础设施: Server

For Operation Wocao, the threat actors purchased servers with Bitcoin to use during the operation.[1]
Enterprise T1588 .002 获取能力: Tool

For Operation Wocao, the threat actors obtained a variety of open source tools, including JexBoss, KeeThief, and BloodHound.[1]
Enterprise T1087 .002 账号发现: Domain Account

During Operation Wocao, threat actors used the net command to retrieve information about domain accounts.[1]

Enterprise T1518 软件发现

During Operation Wocao, threat actors collected a list of installed software on the infected system.[1]
.001 Security Software Discovery

During Operation Wocao, threat actors used scripts to detect security software.[1]
Enterprise T1105 输入工具传输

During Operation Wocao, threat actors downloaded additional files to the infected system.[1]
Enterprise T1056 .001 输入捕获: Keylogging

During Operation Wocao, threat actors obtained the password for the victim's password manager via a custom keylogger.[1]
Enterprise T1057 进程发现

During Operation Wocao, the threat actors used tasklist to collect a list of running processes on an infected system.[1]
Enterprise T1055 进程注入

During Operation Wocao, threat actors injected code into a selected process, which in turn launches a command as a child process of the original.[1]
Enterprise T1021 .002 远程服务: SMB/Windows Admin Shares

During Operation Wocao, threat actors used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.[1]
Enterprise T1018 远程系统发现

During Operation Wocao, threat actors used nbtscan and ping to discover remote systems, as well as dsquery subnet on a domain controller to retrieve all subnets in the Active Directory.[1]
Enterprise T1041 通过C2信道渗出

During Operation Wocao, threat actors used the XServer backdoor to exfiltrate data.[1]
Enterprise T1095 非应用层协议

During Operation Wocao, threat actors used a custom protocol for command and control.[1]
Enterprise T1571 非标准端口

During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

During Operation Wocao, threat actors used scheduled tasks to execute malicious PowerShell code on remote systems.[1]

Software

ID Name Description
S0521 BloodHound

During Operation Wocao, threat actors used BloodHound discover trust between domains.[1]
S0105 dsquery

During Operation Wocao, threat actors used dsquery to retrieve all subnets in the Active Directory.[1]
S0357 Impacket

During Operation Wocao, threat actors used smbexec.py and psexec.py from Impacket for lateral movement.[1]
S0002 Mimikatz

During Operation Wocao, threat actors used Mimikatz with the privilege::debug and lsadump::dcsync /all flags to dump account credentials.[1]
S0104 netstat

During Operation Wocao, threat actors used netstat to identify specific ports.[1]
S0194 PowerSploit

During Operation Wocao, threat actors used PowerSploit’s Invoke-Kerberoast module to bruteforce passwords and retrieve encrypted service tickets.[1]
S0029 PsExec

During Operation Wocao, threat actors used PsExec to interact with other systems inside the internal network.[1]
S0183 Tor

During Operation Wocao, threat actors used Tor exit nodes to execute commands.[1]
S0645 Wevtutil

During Operation Wocao, threat actors used Wevtutil to delete system and security event logs with wevtutil cl system and wevtutil cl security.[1]

References

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.