Currently viewing ATT&CK v14.1 which was live between October 31, 2023 and April 22, 2024. Learn more about the versioning system or see the live site.
Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.
  1. Home
  2. Groups
  3. TA459

TA459

TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]

ID: G0062
Contributors: Valerii Marchuk, Cybersecurity Help s.r.o.
Version: 1.1
Created: 18 April 2018
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

TA459 has used PowerShell for execution of a payload.[1]
.005 Command and Scripting Interpreter: Visual Basic

TA459 has a VBScript for execution.[1]
Enterprise T1203 Exploitation for Client Execution

TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.[1]
Enterprise T1204 .002 User Execution: Malicious File

TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.[1]

Software

ID Name References Techniques
S0032 gh0st RAT TA459 has used a Gh0st variant known as PCrat/Gh0st.[1] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0033 NetTraveler [1] Application Window Discovery, Input Capture: Keylogging
S0013 PlugX [1] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0230 ZeroT [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Data Obfuscation: Steganography, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Obfuscated Files or Information: Binary Padding, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, System Information Discovery, System Network Configuration Discovery

References

  1. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.