1. Home
  2. Groups
  3. Chimera

Chimera

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.[1][2]

ID: G0114
Version: 2.2
Created: 24 August 2020
Last Modified: 12 September 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

Chimera has used WMIC to execute remote commands.[1][2]
Enterprise T1213 .002 从信息存储库获取数据: Sharepoint

Chimera has collected documents from the victim's SharePoint.[2]
Enterprise T1039 从网络共享驱动器获取数据

Chimera has collected data of interest from network shares.[2]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.[1]
Enterprise T1550 .002 使用备用认证材料: Pass the Hash

Chimera has dumped password hashes for use in pass the hash authentication attacks.[2]
Enterprise T1556 .001 修改身份验证过程: Domain Controller Authentication

Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.[1]

Enterprise T1574 .002 劫持执行流: DLL Side-Loading

Chimera has used side loading to place malicious DLLs in memory.[2]
Enterprise T1572 协议隧道

Chimera has encapsulated Cobalt Strike's C2 protocol in DNS and HTTPS.[2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.[1][2]

.003 命令与脚本解释器: Windows Command Shell

Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.[2]
Enterprise T1482 域信任发现

Chimera has nltest /domain_trusts to identify domain trust relationships.[2]
Enterprise T1133 外部远程服务

Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services.[1][2]
Enterprise T1111 多因素身份验证拦截

Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS.[2]
Enterprise T1201 密码策略发现

Chimera has used the NtdsAudit utility to collect information related to accounts and passwords.[2]
Enterprise T1071 .001 应用层协议: Web Protocols

Chimera has used HTTPS for C2 communications.[2]
.004 应用层协议: DNS

Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.[2]
Enterprise T1560 .001 归档收集数据: Archive via Utility

Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.[1][2]
Enterprise T1003 .003 操作系统凭证转储: NTDS

Chimera has gathered the SYSTEM registry and ntds.dit files from target systems.[1] Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via msadcs.exe "NTDS.dit" -s "SYSTEM" -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.[2]
Enterprise T1589 .001 收集受害者身份信息: Credentials

Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.[2]
Enterprise T1074 .001 数据分段: Local Data Staging

Chimera has staged stolen data locally on compromised hosts.[2]
.002 数据分段: Remote Data Staging

Chimera has staged stolen data on designated servers in the target environment.[2]
Enterprise T1083 文件和目录发现

Chimera has utilized multiple commands to identify data of interest in file and directory listings.[2]
Enterprise T1110 .003 暴力破解: Password Spraying

Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts.[2]
.004 暴力破解: Credential Stuffing

Chimera has used credential stuffing against victim's remote services to obtain valid accounts.[2]
Enterprise T1078 有效账户

Chimera has used a valid account to maintain persistence via scheduled task.[1]
.002 Domain Accounts

Chimera has used compromised domain accounts to gain access to the target environment.[2]
Enterprise T1106 本机API

Chimera has used direct Windows system calls by leveraging Dumpert.[1]
Enterprise T1069 .001 权限组发现: Local Groups

Chimera has used net localgroup administrators to identify accounts with local administrative rights.[2]
Enterprise T1012 查询注册表

Chimera has queried Registry keys using reg query \\HKU\\SOFTWARE\Microsoft\Terminal Server Client\Servers and reg query \\HKU\\Software\Microsoft\Windows\CurrentVersion\Internet Settings.[2]
Enterprise T1570 横向工具传输

Chimera has copied tools between compromised hosts using SMB.[2]
Enterprise T1217 浏览器信息发现

Chimera has used type \\c$\Users\\Favorites\Links\Bookmarks bar\Imported From IE*citrix* for bookmark discovery.[2]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

Chimera has encoded PowerShell commands.[1]

Enterprise T1114 .001 电子邮件收集: Local Email Collection

Chimera has harvested data from victim's e-mail including through execution of wmic /node: process call create "cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst" copy "i:\\\My Documents\.pst"copy.[2]
.002 电子邮件收集: Remote Email Collection

Chimera has harvested data from remote mailboxes including through execution of \\c$\Users\\AppData\Local\Microsoft\Outlook*.ost.[2]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

Chimera has cleared event logs on compromised hosts.[2]
.004 移除指标: File Deletion

Chimera has performed file deletion to evade detection.[1]

.006 移除指标: Timestomp

Chimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs.[2]
Enterprise T1082 系统信息发现

Chimera has used fsutil fsinfo drives, systeminfo, and vssadmin list shadows for system information including shadow volumes and drive information.[2]
Enterprise T1033 系统所有者/用户发现

Chimera has used the quser command to show currently logged on users.[2]

Enterprise T1124 系统时间发现

Chimera has used time /t and net time \ip/hostname for system time discovery.[2]
Enterprise T1569 .002 系统服务: Service Execution

Chimera has used PsExec to deploy beacons on compromised systems.[2]
Enterprise T1007 系统服务发现

Chimera has used net start and net use for system service discovery.[2]
Enterprise T1049 系统网络连接发现

Chimera has used netstat -ano | findstr EST to discover network connections.[2]
Enterprise T1016 系统网络配置发现

Chimera has used ipconfig, Ping, and tracert to enumerate the IP address and network environment and settings of the local host.[2]
Enterprise T1135 网络共享发现

Chimera has used net share and net view to identify network shares of interest.[2]
Enterprise T1046 网络服务发现

Chimera has used the get -b -e -p command for network scanning as well as a custom Python tool packed into a Windows executable named Get.exe to scan IP ranges for HTTP.[2]
Enterprise T1119 自动化收集

Chimera has used custom DLLs for continuous retrieval of data from memory.[2]
Enterprise T1588 .002 获取能力: Tool

Chimera has obtained and used tools such as BloodHound, Cobalt Strike, Mimikatz, and PsExec.[1][2]
Enterprise T1087 .001 账号发现: Local Account

Chimera has used net user for account discovery.[2]
.002 账号发现: Domain Account

Chimera has has used net user /dom and net user Administrator to enumerate domain accounts including administrator accounts.[1][2]
Enterprise T1105 输入工具传输

Chimera has remotely copied tools and malware onto targeted systems.[1]
Enterprise T1057 进程发现

Chimera has used tasklist to enumerate processes.[2]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

Chimera has used RDP to access targeted systems.[1]
.002 远程服务: SMB/Windows Admin Shares

Chimera has used Windows admin shares to move laterally.[1][2]
.006 远程服务: Windows Remote Management

Chimera has used WinRM for lateral movement.[2]
Enterprise T1018 远程系统发现

Chimera has utilized various scans and queries to find domain controllers and remote services in the target environment.[2]
Enterprise T1041 通过C2信道渗出

Chimera has used Cobalt Strike C2 beacons for data exfiltration.[2]

Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Chimera has exfiltrated stolen data to OneDrive accounts.[2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st and to maintain persistence.[1][2]

Software

ID Name References Techniques
S0521 BloodHound [1] 命令与脚本解释器: PowerShell, 域信任发现, 密码策略发现, 归档收集数据, 本机API, 权限组发现: Domain Groups, 权限组发现: Local Groups, 系统所有者/用户发现, 组策略发现, 账号发现: Domain Account, 账号发现: Local Account, 远程系统发现
S0154 Cobalt Strike [1][2] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0404 esentutl [2] 从本地系统获取数据, 操作系统凭证转储: NTDS, 横向工具传输, 直接卷访问, 输入工具传输, 隐藏伪装: NTFS File Attributes
S0002 Mimikatz [1][2] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0039 Net [2] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0029 PsExec [2] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares

References

  1. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  1. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.