1. Home
  2. Groups
  3. ZIRCONIUM

ZIRCONIUM

ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.[1][2]

ID: G0128
Associated Groups: APT31, Violet Typhoon
Version: 2.1
Created: 24 March 2021
Last Modified: 10 October 2024

Associated Group Descriptions

Name Description
APT31

[2]
Violet Typhoon

[3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1555 .003 从密码存储中获取凭证: Credentials from Web Browsers

ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.[4]
Enterprise T1090 .003 代理: Multi-hop Proxy

ZIRCONIUM has utilized an ORB (operational relay box) network – consisting compromised devices such as small office and home office (SOHO) routers, IoT devices, and leased virtual private servers (VPS) – to proxy traffic.[5]

Enterprise T1036 伪装

ZIRCONIUM has spoofed legitimate applications in phishing lures and changed file extensions to conceal installation of malware.[6][4]
.004 Masquerade Task or Service

ZIRCONIUM has created a run key named Dropbox Update Setup to mask a persistence mechanism for a malicious binary.[4]
Enterprise T1598 信息钓鱼

ZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails.[6]
.003 Spearphishing Link

ZIRCONIUM has used web beacons in e-mails to track hits to attacker-controlled URL's.[1]
Enterprise T1573 .001 加密通道: Symmetric Cryptography

ZIRCONIUM has used AES encrypted communications in C2.[4]
Enterprise T1140 反混淆/解码文件或信息

ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

ZIRCONIUM has created a Registry Run key named Dropbox Update Setup to establish persistence for a malicious Python binary.[4]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.[4]
.006 命令与脚本解释器: Python

ZIRCONIUM has used Python-based implants to interact with compromised hosts.[6][4]
Enterprise T1584 .008 基础设施妥协: Network Devices

ZIRCONIUM has compromised network devices such as small office and home office (SOHO) routers and IoT devices for ORB (operational relay box) Proxy networks.[7][5]

Enterprise T1068 权限提升漏洞利用

ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation.[2]
Enterprise T1012 查询注册表

ZIRCONIUM has used a tool to query the Registry for proxy settings.[4]
Enterprise T1027 .002 混淆文件或信息: Software Packing

ZIRCONIUM has used multi-stage packers for exploit code.[2]
Enterprise T1204 .001 用户执行: Malicious Link

ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.[6][4]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

ZIRCONIUM has used the msiexec.exe command-line utility to download and execute malicious MSI files.[4]
Enterprise T1082 系统信息发现

ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.[4]
Enterprise T1033 系统所有者/用户发现

ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.[4]
Enterprise T1124 系统时间发现

ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.[4]
Enterprise T1016 系统网络配置发现

ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.[4]
Enterprise T1102 .002 网络服务: Bidirectional Communication

ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.[6][4]
Enterprise T1583 .001 获取基础设施: Domains

ZIRCONIUM has purchased domains for use in targeted campaigns.[1]
.006 获取基础设施: Web Services

ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.[6][4]
Enterprise T1105 输入工具传输

ZIRCONIUM has used tools to download malicious files to compromised hosts.[4]
Enterprise T1041 通过C2信道渗出

ZIRCONIUM has exfiltrated files via the Dropbox API C2.[4]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

ZIRCONIUM has exfiltrated stolen data to Dropbox.[4]
Enterprise T1566 .002 钓鱼: Spearphishing Link

ZIRCONIUM has used malicious links in e-mails to deliver malware.[1][6][4]

References

  1. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
  2. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.
  3. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  4. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  1. Raggi, Michael. (2024, May 22). IOC Extinction? China-Nexus Cyber Espionage Actors Use ORB Networks to Raise Cost on Defenders. Retrieved July 8, 2024.
  2. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
  3. Cimpanu, Catalin. (2021, July 20). Chinese hacking group APT31 uses mesh of home routers to disguise attacks. Retrieved July 8, 2024.