1. Home
  2. Groups
  3. APT18

APT18

APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. [1]

ID: G0026
Associated Groups: TG-0416, Dynamite Panda, Threat Group-0416
Version: 2.2
Created: 31 May 2017
Last Modified: 11 April 2024

Associated Group Descriptions

Name Description
TG-0416

[2][3]
Dynamite Panda

[2][3]
Threat Group-0416

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key.[3][4]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

APT18 uses cmd.exe to execute commands on the victim’s machine.[4][3]
Enterprise T1133 外部远程服务

APT18 actors leverage legitimate credentials to log into external remote services.[5]
Enterprise T1071 .001 应用层协议: Web Protocols

APT18 uses HTTP for C2 communications.[4]
.004 应用层协议: DNS

APT18 uses DNS for C2 communications.[4]
Enterprise T1083 文件和目录发现

APT18 can list files information for specific directories.[4]
Enterprise T1078 有效账户

APT18 actors leverage legitimate credentials to log into external remote services.[5]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

APT18 obfuscates strings in the payload.[4]
Enterprise T1070 .004 移除指标: File Deletion

APT18 actors deleted tools and batch files from victim systems.[1]
Enterprise T1082 系统信息发现

APT18 can collect system information from the victim’s machine.[4]
Enterprise T1105 输入工具传输

APT18 can upload a file to the victim’s machine.[4]
Enterprise T1053 .002 预定任务/作业: At

APT18 actors used the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.[1]

Software

ID Name References Techniques
S0106 cmd [1] 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 横向工具传输, 移除指标: File Deletion, 系统信息发现, 输入工具传输
S0032 gh0st RAT [5] 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 动态解析: Fast Flux DNS, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 数据编码: Standard Encoding, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 非应用层协议
S0071 hcdLoader [1][2] 创建或修改系统进程: Windows Service, 命令与脚本解释器: Windows Command Shell
S0070 HTTPBrowser [5] 伪装: Match Legitimate Name or Location, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: DLL Side-Loading, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS, 应用层协议: Web Protocols, 文件和目录发现, 混淆文件或信息, 移除指标: File Deletion, 输入工具传输, 输入捕获: Keylogging
S0124 Pisloader [6] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS, 数据编码: Standard Encoding, 文件和目录发现, 混淆文件或信息, 系统信息发现, 系统网络配置发现, 输入工具传输

References

  1. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.
  2. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
  3. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.
  1. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  2. Adair, S. (2017, February 17). Detecting and Responding to Advanced Threats within Exchange Environments. Retrieved March 20, 2017.
  3. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.