Soft Cell
Operation Soft Cell is a group that is reportedly affiliated with China and is likely state-sponsored. The group has operated since at least 2012 and has compromised high-profile telecommunications networks.[1]
Techniques Used
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
Soft Cell used WinRAR to compress and encrypt stolen data prior to exfiltration.[1] |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Soft Cell used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.[1] |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Soft Cell used the Windows command shell to execute commands.[1] |
||
Enterprise | T1136 | .002 | Create Account: Domain Account |
Soft Cell created rogue, high-privileged domain user accounts to maintain access across waves of a compromise.[1] |
Enterprise | T1005 | Data from Local System |
Soft Cell collected data from the victim's local system, including password hashes from the SAM hive in the Registry.[1] |
|
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Soft Cell compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.[1] |
Enterprise | T1041 | Exfiltration Over C2 Channel |
Soft Cell used Web shells and HTRAN for C2 as well as to exfiltrate data.[1] |
|
Enterprise | T1190 | Exploit Public-Facing Application |
Soft Cell exploited a publicly-facing server to gain access to the network.[1] |
|
Enterprise | T1133 | External Remote Services |
Soft Cell established VPN access into victim environments.[1] |
|
Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Soft Cell used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.[1] |
Enterprise | T1105 | Ingress Tool Transfer |
Soft Cell dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[1] |
|
Enterprise | T1036 | .003 | Masquerading: Rename System Utilities |
Soft Cell used a renamed cmd.exe file to evade detection.[1] |
Enterprise | T1027 | Obfuscated Files or Information |
Soft Cell used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.[1] |
|
.002 | Software Packing |
Soft Cell packed some payloads using different types of packers, both known and custom.[1] |
||
.005 | Indicator Removal from Tools |
Soft Cell ensured each payload had a unique hash, including by using different types of packers.[1] |
||
Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
Soft Cell used |
.001 | OS Credential Dumping: LSASS Memory |
Soft Cell used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.[1] |
||
Enterprise | T1090 | .002 | Proxy: External Proxy |
Soft Cell used a modified version of HTRAN to redirect connections between networks.[1] |
Enterprise | T1018 | Remote System Discovery |
Soft Cell used a modified version of nbtscan to identify available NetBIOS name servers over the network as well as |
|
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Soft Cell established persistence for PoisonIvy by created a scheduled task.[1] |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
Soft Cell used Web shells to persist in victim environments and assist in execution and exfiltration.[1] |
Enterprise | T1016 | System Network Configuration Discovery |
Soft Cell used |
|
Enterprise | T1049 | System Network Connections Discovery |
Soft Cell used |
|
Enterprise | T1033 | System Owner/User Discovery |
Soft Cell used |
|
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Soft Cell used dumped hashes to authenticate to other machines via pass the hash.[1] |
Enterprise | T1078 | Valid Accounts |
Soft Cell leveraged valid accounts to maintain access to a victim network.[1] |
|
Enterprise | T1047 | Windows Management Instrumentation |
Soft Cell used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.[1] |