1. Home
  2. Groups
  3. menuPass

menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

ID: G0045
Associated Groups: Cicada, POTASSIUM, Stone Panda, APT10, Red Apollo, CVNX, HOGFISH, BRONZE RIVERSIDE
Contributors: Edward Millington; Michael Cox
Version: 3.0
Created: 31 May 2017
Last Modified: 19 September 2024

Associated Group Descriptions

Name Description
Cicada

[8]
POTASSIUM

[1][2]
Stone Panda

[3][9][1][2][8]
APT10

[3][9][10][1][8]
Red Apollo

[6][1][2]
CVNX

[6][1][2]
HOGFISH

[9]
BRONZE RIVERSIDE

[11]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

menuPass has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.[12][13][8]
Enterprise T1005 从本地系统获取数据

menuPass has collected various files from the compromised computers.[1][8]
Enterprise T1039 从网络共享驱动器获取数据

menuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data.[6]
Enterprise T1090 .002 代理: External Proxy

menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.[7][10]
Enterprise T1036 伪装

menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files.[10]

.003 Rename System Utilities

menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.[10]
.005 Match Legitimate Name or Location

menuPass has been seen changing malicious files to appear legitimate.[2]
Enterprise T1199 信任关系

menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest.[12][7][8][1][2]
Enterprise T1190 利用公开应用程序漏洞

menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions.[14]
Enterprise T1568 .001 动态解析: Fast Flux DNS

menuPass has used dynamic DNS service providers to host malicious domains.[2]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

menuPass has used DLL search order hijacking.[6]
.002 劫持执行流: DLL Side-Loading

menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.[12][10][8]
Enterprise T1140 反混淆/解码文件或信息

menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT.[9][10]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

menuPass uses PowerSploit to inject shellcode into PowerShell.[12][8]
.003 命令与脚本解释器: Windows Command Shell

menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.[6][12][13][10] menuPass has used malicious macros embedded inside Office documents to execute files.[9][10]
Enterprise T1560 归档收集数据

menuPass has encrypted files and information before exfiltration.[1][2]
.001 Archive via Utility

menuPass has compressed files before exfiltration using TAR and RAR.[6][12][8]
Enterprise T1003 .002 操作系统凭证转储: Security Account Manager

menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.[12][13]
.003 操作系统凭证转储: NTDS

menuPass has used Ntdsutil to dump credentials.[8]
.004 操作系统凭证转储: LSA Secrets

menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.[12][13]
Enterprise T1074 .001 数据分段: Local Data Staging

menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.[6]
.002 数据分段: Remote Data Staging

menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.[6][8]
Enterprise T1083 文件和目录发现

menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.[8]
Enterprise T1078 有效账户

menuPass has used valid accounts including shared between Managed Service Providers and clients to move between the two environments.[6][8][2][14]
Enterprise T1106 本机API

menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.[8]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.[9][10][8]
Enterprise T1204 .002 用户执行: Malicious File

menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns.[12][7][9][10][2]
Enterprise T1070 .003 移除指标: Clear Command History

menuPass has used Wevtutil to remove PowerShell execution logs.[14]
.004 移除指标: File Deletion

A menuPass macro deletes files after it has decoded and decompressed them.[9][2]
Enterprise T1218 .004 系统二进制代理执行: InstallUtil

menuPass has used InstallUtil.exe to execute malicious software.[12]
Enterprise T1049 系统网络连接发现

menuPass has used net use to conduct connectivity checks to machines.[6]
Enterprise T1016 系统网络配置发现

menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.[12]
Enterprise T1046 网络服务发现

menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest.[12]
Enterprise T1119 自动化收集

menuPass has used the Csvde tool to collect Active Directory files and data.[8]
Enterprise T1583 .001 获取基础设施: Domains

menuPass has registered malicious domains for use in intrusion campaigns.[1][2]
Enterprise T1588 .002 获取能力: Tool

menuPass has used and modified open-source tools like Impacket, Mimikatz, and pwdump.[12]
Enterprise T1087 .002 账号发现: Domain Account

menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.[12]
Enterprise T1105 输入工具传输

menuPass has installed updates and new malware on victims.[6][2]
Enterprise T1056 .001 输入捕获: Keylogging

menuPass has used key loggers to steal usernames and passwords.[2]
Enterprise T1055 .012 进程注入: Process Hollowing

menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.[9]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

menuPass has used RDP connections to move across the victim network.[6][2]
.004 远程服务: SSH

menuPass has used Putty Secure Copy Client (PSCP) to transfer data.[6]
Enterprise T1210 远程服务漏洞利用

menuPass has used tools to exploit the ZeroLogon vulnerability (CVE-2020-1472).[8]
Enterprise T1018 远程系统发现

menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command net view /domain to a PlugX implant to gather information about remote systems on the network.[12][7]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.[12][7][10][2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.[12]
Enterprise T1553 .002 颠覆信任控制: Code Signing

menuPass has resized and added data to the certificate table to enable the signing of modified files with legitimate signatures.[14]

Software

ID Name References Techniques
S0552 AdFind [8] 域信任发现, 权限组发现: Domain Groups, 系统网络配置发现, 账号发现: Domain Account, 远程系统发现
S0160 certutil [9][10][8] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0144 ChChes [12] 从密码存储中获取凭证: Credentials from Web Browsers, 伪装: Match Legitimate Name or Location, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 文件和目录发现, 系统信息发现, 输入工具传输, 进程发现, 颠覆信任控制: Code Signing
S0106 cmd [12] 命令与脚本解释器: Windows Command Shell, 文件和目录发现, 横向工具传输, 移除指标: File Deletion, 系统信息发现, 输入工具传输
S0154 Cobalt Strike [14] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0624 Ecipekac [14] 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 混淆文件或信息, 输入工具传输, 颠覆信任控制: Code Signing
S0404 esentutl [10] 从本地系统获取数据, 操作系统凭证转储: NTDS, 横向工具传输, 直接卷访问, 输入工具传输, 隐藏伪装: NTFS File Attributes
S0152 EvilGrab [12] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 屏幕捕获, 视频捕获, 输入捕获: Keylogging, 音频捕获
S0628 FYAnti [14] 反混淆/解码文件或信息, 文件和目录发现, 混淆文件或信息: Software Packing, 输入工具传输
S1097 HUI Loader [11] 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 妨碍防御: Indicator Blocking
S0357 Impacket [12] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0002 Mimikatz [12] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [12] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0626 P8RAT [14] 数据混淆: Junk Data, 虚拟化/沙盒规避: Time Based Evasion, 虚拟化/沙盒规避: System Checks, 输入工具传输, 进程发现
S0097 Ping [12][7] 远程系统发现
S0013 PlugX [12][7][1] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0012 PoisonIvy [12][2] Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection
S0194 PowerSploit [12] Windows管理规范, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 创建或修改系统进程: Windows Service, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: Path Interception by Search Order Hijacking, 反射性代码加载, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Security Support Provider, 命令与脚本解释器: PowerShell, 域信任发现, 屏幕捕获, 操作系统凭证转储: LSASS Memory, 未加密凭证: Credentials in Registry, 未加密凭证: Group Policy Preferences, 查询注册表, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Command Obfuscation, 窃取或伪造Kerberos票据: Kerberoasting, 访问令牌操控, 账号发现: Local Account, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 音频捕获, 预定任务/作业: Scheduled Task
S0029 PsExec [12][7] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0006 pwdump [12] 操作系统凭证转储: Security Account Manager
S0262 QuasarRAT [1][8][14] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 从本地系统获取数据, 代理, 修改注册表, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 未加密凭证: Credentials In Files, 滥用权限提升控制机制: Bypass User Account Control, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 远程服务: Remote Desktop Protocol, 隐藏伪装: Hidden Window, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 非标准端口, 预定任务/作业: Scheduled Task, 颠覆信任控制: Code Signing
S0153 RedLeaves [12][1] 从密码存储中获取凭证: Credentials from Web Browsers, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Search Order Hijacking, 启动或登录自动启动执行: Shortcut Modification, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统网络连接发现, 系统网络配置发现, 输入工具传输, 非标准端口
S0159 SNUGRIDE [7] 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols
S0627 SodaMaster [14] 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 本机API, 查询注册表, 混淆文件或信息, 系统信息发现, 系统所有者/用户发现, 虚拟化/沙盒规避: System Checks, 虚拟化/沙盒规避: Time Based Evasion, 输入工具传输, 进程发现
S0275 UPPERCUT [10] 加密通道: Symmetric Cryptography, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 文件和目录发现, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络配置发现, 输入工具传输

References

  1. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  2. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  3. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  4. Crowdstrike. (2013, October 16). CrowdCasts Monthly: You Have an Adversary Problem. Retrieved March 1, 2017.
  5. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
  6. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  7. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  1. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  2. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  3. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  4. Counter Threat Unit Research Team . (2022, June 23). BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER. Retrieved December 7, 2023.
  5. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  6. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.
  7. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.