1. Home
  2. Groups
  3. Axiom

Axiom

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]

ID: G0001
Associated Groups: Group 72
Version: 2.0
Created: 31 May 2017
Last Modified: 20 March 2023

Associated Group Descriptions

Name Description
Group 72

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .008 事件触发执行: Accessibility Features

Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.[5]
Enterprise T1005 从本地系统获取数据

Axiom has collected data from a compromised network.[5]
Enterprise T1190 利用公开应用程序漏洞

Axiom has been observed using SQL injection to gain access to systems.[5][4]
Enterprise T1584 .005 基础设施妥协: Botnet

Axiom has used large groups of compromised machines for use as proxy nodes.[5]
Enterprise T1203 客户端执行漏洞利用

Axiom has used exploits for multiple vulnerabilities including CVE-2014-0322, CVE-2012-4792, CVE-2012-1889, and CVE-2013-3893.[4]
Enterprise T1560 归档收集数据

Axiom has compressed and encrypted data prior to exfiltration.[5]
Enterprise T1003 操作系统凭证转储

Axiom has been known to dump credentials.[5]
Enterprise T1001 .002 数据混淆: Steganography

Axiom has used steganography to hide its C2 communications.[5]
Enterprise T1078 有效账户

Axiom has used previously compromised administrative accounts to escalate privileges.[5]
Enterprise T1189 浏览器攻击

Axiom has used watering hole attacks to gain access.[4]
Enterprise T1583 .002 获取基础设施: DNS Server

Axiom has acquired dynamic DNS services for use in the targeting of intended victims.[5]
.003 获取基础设施: Virtual Private Server

Axiom has used VPS hosting providers in targeting of intended victims.[5]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Axiom has used RDP during operations.[5]
Enterprise T1563 .002 远程服务会话劫持: RDP Hijacking

Axiom has targeted victims with remote administration tools including RDP.[5]
Enterprise T1566 钓鱼

Axiom has used spear phishing to initially compromise victims.[4][5]
Enterprise T1553 颠覆信任控制

Axiom has used digital certificates to deliver malware.[5]

Software

ID Name References Techniques
S0021 Derusbi [5][4] 加密通道: Symmetric Cryptography, 命令与脚本解释器: Unix Shell, 回退信道, 屏幕捕获, 文件和目录发现, 查询注册表, 移除指标: Timestomp, 移除指标: File Deletion, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统所有者/用户发现, 视频捕获, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 非应用层协议, 非标准端口, 音频捕获
S0032 gh0st RAT [4][5] 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 动态解析: Fast Flux DNS, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 数据编码: Standard Encoding, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 非应用层协议
S0009 Hikit [5][4] Rootkit, 从本地系统获取数据, 代理: Internal Proxy, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Search Order Hijacking, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 输入工具传输, 钓鱼, 颠覆信任控制: Code Signing Policy Modification, 颠覆信任控制: Install Root Certificate
S0203 Hydraq [5][4] 从本地系统获取数据, 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 屏幕捕获, 文件和目录发现, 替代协议渗出, 查询注册表, 混淆文件或信息, 移除指标: File Deletion, 移除指标: Clear Windows Event Logs, 系统信息发现, 系统服务: Service Execution, 系统服务发现, 系统网络配置发现, 访问令牌操控, 输入工具传输, 进程发现
S0013 PlugX [4][5] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0012 PoisonIvy [4][5] Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection
S0672 Zox [5] 从本地系统获取数据, 数据混淆: Steganography, 文件和目录发现, 权限提升漏洞利用, 混淆文件或信息: Encrypted/Encoded File, 系统信息发现, 输入工具传输, 进程发现, 远程服务: SMB/Windows Admin Shares
S0412 ZxShell [6][4] 从本地系统获取数据, 代理, 修改注册表, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 利用公开应用程序漏洞, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify System Firewall, 妨碍防御: Disable or Modify Tools, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 文件和目录发现, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统服务发现, 终端拒绝服务, 网络服务发现, 视频捕获, 访问令牌操控: Create Process with Token, 输入工具传输, 输入捕获: Credential API Hooking, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 远程服务: VNC, 远程服务: Remote Desktop Protocol, 非标准端口

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  2. Tarakanov, D. (2015, June 22). Games are over: Winnti is now targeting pharmaceutical companies. Retrieved January 14, 2016.
  3. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  1. Esler, J., Lee, M., and Williams, C. (2014, October 14). Threat Spotlight: Group 72. Retrieved January 14, 2016.
  2. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  3. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.