1. Home
  2. Groups
  3. APT19

APT19

APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. [1] Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same. [2] [3] [4]

ID: G0073
Associated Groups: Codoso, C0d0so0, Codoso Team, Sunshop Group
Contributors: FS-ISAC; Darren Spruell
Version: 1.6
Created: 17 October 2018
Last Modified: 11 April 2024

Associated Group Descriptions

Name Description
Codoso

[4]
C0d0so0

[4]
Codoso Team

[3]
Sunshop Group

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1112 修改注册表

APT19 uses a Port 22 malware variant to modify several Registry keys.[4]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

An APT19 Port 22 malware variant registers itself as a service.[4]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.[4]
Enterprise T1140 反混淆/解码文件或信息

An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.[4]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

An APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\.[4]
Enterprise T1059 命令与脚本解释器

APT19 downloaded and launched code within a SCT file.[1]
.001 PowerShell

APT19 used PowerShell commands to execute payloads.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.[1][4]
Enterprise T1132 .001 数据编码: Standard Encoding

An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.[4]
Enterprise T1189 浏览器攻击

APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.[4]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

APT19 used Base64 to obfuscate executed commands.[1]
.013 混淆文件或信息: Encrypted/Encoded File

APT19 used Base64 to obfuscate payloads.[1]
Enterprise T1204 .002 用户执行: Malicious File

APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.[1]
Enterprise T1218 .010 系统二进制代理执行: Regsvr32

APT19 used Regsvr32 to bypass application control techniques.[1]
.011 系统二进制代理执行: Rundll32

APT19 configured its payload to inject into the rundll32.exe.[1]
Enterprise T1082 系统信息发现

APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.[1][4]
Enterprise T1033 系统所有者/用户发现

APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.[4]
Enterprise T1016 系统网络配置发现

APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.[4]
Enterprise T1588 .002 获取能力: Tool

APT19 has obtained and used publicly-available tools like Empire.[6][1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.[1]
Enterprise T1564 .003 隐藏伪装: Hidden Window

APT19 used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden. [1]

Software

ID Name References Techniques
S0154 Cobalt Strike [1] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0363 Empire [6] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task

References

  1. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  2. Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.
  3. FireEye. (n.d.). Advanced Persistent Threat Groups. Retrieved August 3, 2018.
  1. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  2. Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.
  3. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.