1. Home
  2. Groups
  3. TA459

TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]

ID: G0062
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 1.1
Created: 18 April 2018
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 命令与脚本解释器: PowerShell

TA459 has used PowerShell for execution of a payload.[1]
.005 命令与脚本解释器: Visual Basic

TA459 has a VBScript for execution.[1]
Enterprise T1203 客户端执行漏洞利用

TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.[1]
Enterprise T1204 .002 用户执行: Malicious File

TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.[1]

Software

ID Name References Techniques
S0032 gh0st RAT TA459 has used a Gh0st variant known as PCrat/Gh0st.[1] 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 动态解析: Fast Flux DNS, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 数据编码: Standard Encoding, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 非应用层协议
S0033 NetTraveler [1] 应用窗口发现, 输入捕获: Keylogging
S0013 PlugX [1] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0230 ZeroT [1] 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 应用层协议: Web Protocols, 数据混淆: Steganography, 混淆文件或信息: Binary Padding, 混淆文件或信息: Software Packing, 混淆文件或信息: Encrypted/Encoded File, 滥用权限提升控制机制: Bypass User Account Control, 系统信息发现, 系统网络配置发现, 输入工具传输

References

  1. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.