APT39, ITG07, Chafer, Remix Kitten, Group G0087

Name	Description
ITG07	^[3]^[4]^[5]
Chafer	Activities associated with APT39 largely align with a group publicly referred to as Chafer.^[1]^[2]^[6]^[3]^[4]^[5]
Remix Kitten	^[7]

Domain	ID		Name	Use
Enterprise	T1197		BITS任务	APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host.^[3]
Enterprise	T1546	.010	事件触发执行: AppInit DLLs	APT39 has used malware to set `LoadAppInit_DLLs` in the Registry key `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows` in order to establish persistence.^[3]
Enterprise	T1555		从密码存储中获取凭证	APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords.^[8]
Enterprise	T1005		从本地系统获取数据	APT39 has used various tools to steal files from the compromised host.^[9]^[3]
Enterprise	T1090	.001	代理: Internal Proxy	APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.^[1]^[8]
		.002	代理: External Proxy	APT39 has used various tools to proxy C2 communications.^[8]
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.^[8]^[3]
Enterprise	T1136	.001	创建账户: Local Account	APT39 has created accounts on multiple compromised hosts to perform actions within the network.^[8]
Enterprise	T1190		利用公开应用程序漏洞	APT39 has used SQL injection for initial compromise.^[9]
Enterprise	T1115		剪贴板数据	APT39 has used tools capable of stealing contents of the clipboard.^[9]
Enterprise	T1140		反混淆/解码文件或信息	APT39 has used malware to decrypt encrypted CAB files.^[3]
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	APT39 has maintained persistence using the startup folder.^[1]
		.009	启动或登录自动启动执行: Shortcut Modification	APT39 has modified LNK shortcuts.^[1]
Enterprise	T1059		命令与脚本解释器	APT39 has utilized custom scripts to perform internal reconnaissance.^[1]^[3]
		.001	PowerShell	APT39 has used PowerShell to execute malicious code.^[8]^[9]
		.005	Visual Basic	APT39 has utilized malicious VBS scripts in malware.^[3]
		.006	Python	APT39 has used a command line utility and a network scanner written in python.^[8]^[3]
		.010	AutoHotKey & AutoIT	APT39 has utilized AutoIt malware scripts embedded in Microsoft Office documents or malicious links.^[3]
Enterprise	T1113		屏幕捕获	APT39 has used a screen capture utility to take screenshots on a compromised host.^[9]^[3]
Enterprise	T1071	.001	应用层协议: Web Protocols	APT39 has used HTTP in communications with C2.^[8]^[3]
		.004	应用层协议: DNS	APT39 has used remote access tools that leverage DNS in communications with C2.^[8]
Enterprise	T1560	.001	归档收集数据: Archive via Utility	APT39 has used WinRAR and 7-Zip to compress an archive stolen data.^[1]
Enterprise	T1003		操作系统凭证转储	APT39 has used different versions of Mimikatz to obtain credentials.^[8]
		.001	LSASS Memory	APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials.^[1]
Enterprise	T1074	.001	数据分段: Local Data Staging	APT39 has utilized tools to aggregate data prior to exfiltration.^[3]
Enterprise	T1083		文件和目录发现	APT39 has used tools with the ability to search for files on a compromised host.^[3]
Enterprise	T1110		暴力破解	APT39 has used Ncrack to reveal credentials.^[1]
Enterprise	T1078		有效账户	APT39 has used stolen credentials to compromise Outlook Web Access (OWA).^[1]
Enterprise	T1505	.003	服务器软件组件: Web Shell	APT39 has installed ANTAK and ASPXSPY web shells.^[1]
Enterprise	T1012		查询注册表	APT39 has used various strains of malware to query the Registry.^[3]
Enterprise	T1027	.002	混淆文件或信息: Software Packing	APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.^[1]^[8]
		.013	混淆文件或信息: Encrypted/Encoded File	APT39 has used malware to drop encrypted CAB files.^[3]
Enterprise	T1204	.001	用户执行: Malicious Link	APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.^[1]^[3]
		.002	用户执行: Malicious File	APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.^[1]^[8]^[9]^[3]
Enterprise	T1070	.004	移除指标: File Deletion	APT39 has used malware to delete files after they are deployed on a compromised host.^[3]
Enterprise	T1033		系统所有者/用户发现	APT39 used Remexi to collect usernames from the system.^[2]
Enterprise	T1569	.002	系统服务: Service Execution	APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.^[8]^[9]
Enterprise	T1135		网络共享发现	APT39 has used the post exploitation tool CrackMapExec to enumerate network shares.^[8]
Enterprise	T1102	.002	网络服务: Bidirectional Communication	APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.^[8]
Enterprise	T1046		网络服务发现	APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning.^[1]^[8]
Enterprise	T1588	.002	获取能力: Tool	APT39 has modified and used customized versions of publicly-available tools like PLINK and Mimikatz.^[8]^[10]
Enterprise	T1105		输入工具传输	APT39 has downloaded tools to compromised hosts.^[9]^[3]
Enterprise	T1056		输入捕获	APT39 has utilized tools to capture mouse movements.^[3]
		.001	Keylogging	APT39 has used tools for capturing keystrokes.^[9]^[3]
Enterprise	T1021	.001	远程服务: Remote Desktop Protocol	APT39 has been seen using RDP for lateral movement and persistence, in some cases employing the rdpwinst tool for mangement of multiple sessions.^[1]^[8]
		.002	远程服务: SMB/Windows Admin Shares	APT39 has used SMB for lateral movement.^[9]
		.004	远程服务: SSH	APT39 used secure shell (SSH) to move laterally among their targets.^[1]
Enterprise	T1018		远程系统发现	APT39 has used NBTscan and custom tools to discover remote systems.^[1]^[8]^[9]
Enterprise	T1041		通过C2信道渗出	APT39 has exfiltrated stolen victim data through C2 communications.^[3]
Enterprise	T1566	.001	钓鱼: Spearphishing Attachment	APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.^[1]^[9]^[3]
		.002	钓鱼: Spearphishing Link	APT39 leveraged spearphishing emails with malicious links to initially compromise victims.^[1]^[3]
Enterprise	T1053	.005	预定任务/作业: Scheduled Task	APT39 has created scheduled tasks for persistence.^[1]^[8]^[3]
Enterprise	T1553	.006	颠覆信任控制: Code Signing Policy Modification	APT39 has used malware to turn off the `RequireSigned` feature which ensures only signed DLLs can be run on Windows.^[3]

ID	Name	References	Techniques
S0073	ASPXSpy	^[1]	服务器软件组件: Web Shell
S0454	Cadelspy	^[2]	剪贴板数据, 外围设备发现, 屏幕捕获, 应用窗口发现, 归档收集数据, 系统信息发现, 输入捕获: Keylogging, 音频捕获
S0488	CrackMapExec	^[1]^[8]	Windows管理规范, 使用备用认证材料: Pass the Hash, 修改注册表, 命令与脚本解释器: PowerShell, 密码策略发现, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSA Secrets, 文件和目录发现, 暴力破解: Password Spraying, 暴力破解: Password Guessing, 暴力破解, 权限组发现: Domain Groups, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 账号发现: Domain Account, 远程系统发现, 预定任务/作业: At
S0095	ftp	^[3]	替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol, 横向工具传输, 输入工具传输
S0459	MechaFlounder	^[11]	伪装: Match Legitimate Name or Location, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Python, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 系统所有者/用户发现, 输入工具传输, 通过C2信道渗出
S0002	Mimikatz	^[1]^[8]^[6]^[9]	从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0590	NBTscan	^[1]	系统所有者/用户发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 远程系统发现
S0029	PsExec	^[1]^[8]^[9]	创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0006	pwdump	^[9]	操作系统凭证转储: Security Account Manager
S0375	Remexi	^[2]^[12]^[9]	Windows管理规范, 剪贴板数据, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Winlogon Helper DLL, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: Visual Basic, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 归档收集数据, 文件和目录发现, 混淆文件或信息: Encrypted/Encoded File, 输入捕获: Keylogging, 通过C2信道渗出, 预定任务/作业: Scheduled Task
S0005	Windows Credential Editor	^[1]^[6]	操作系统凭证转储: LSASS Memory

APT39

Associated Group Descriptions

Techniques Used

Software

References

APT39

Associated Group Descriptions

Enterprise Layer

Techniques Used

Software

References