APT 10, Chinese threat group global cyber espionage operation.

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

A Chinese state-sponsored advanced persistent threat APT 10 group has been attacking government, legal, religious entities and non-governmental organizations (NGOs) around the world in what appears to be an espionage campaign that has been underway for several months.

The actor gained initial access by exploiting unpatched Microsoft Exchange Server vulnerabilities, and the attacker then distributed a variety of tools, including a custom loader and the Sodamaster backdoor. The backdoor is a fileless virus that may avoid detection in a sandbox by looking for a registry key or postponing execution; enumerating the username, hostname, and operating system of targeted computers; searching for running processes; and downloading and executing additional payloads. It may also obfuscate and encrypt traffic it delivers back to its command-and-control (C&C) server. The attackers are also seen stealing credentials, including using a custom-made Mimikatz loader. This version of Mimikatz includes mimilib.dll, which allows it to retrieve credentials in plain text for each user who connects to the compromised host and maintains persistence over reboots.

The Mitre TTPs commonly used by APT 10 are:

TA0042: Resource Development
TA0001: Initial Access
TA0002: Execution
TA0003: Persistence
TA0004: Privilege Escalation
TA0005: Defense Evasion
TA0006: Credential Access
TA0007: Discovery
TA0008: Lateral Movement
TA0009: Collection
TA0011: Command and Control
TA0010: Exfiltration T1087.002: Account Discovery: Domain Account
T1583.001: Acquire Infrastructure: Domains
T1560: Archive Collected Data
T1560.001: Archive via Utility
T1119: Automated Collection
T1059.001: Command and Scripting Interpreter: PowerShell
T1059.003: Command and Scripting Interpreter: Windows Command Shell
T1005: Data from Local System
T1039: Data from Network Shared Drive
T1074.001: Data Staged: Local Data Staging
T1074.002: Data Staged: Remote Data Staging
T1140: Deobfuscate/Decode Files or Information
T1568.001: Dynamic Resolution: Fast Flux DNS
T1190: Exploit Public-Facing Application
T1210: Exploitation of Remote Services
T1083: File and Directory Discovery
T1574.001: Hijack Execution Flow: DLL Search Order Hijacking
T1574.002: Hijack Execution Flow: DLL Side-Loading
T1070.003: Indicator Removal on Host: Clear Command History
T1070.004: Indicator Removal on Host: File Deletion
T1105: Ingress Tool Transfer
T1056.001: Input Capture: Keylogging
T1036: Masquerading
T1036.003: Rename System Utilities
T1036.005: Match Legitimate Name or Location
T1106: Native API
T1046: Network Service Scanning
T1027: Obfuscated Files or Information
T1588.002: Obtain Capabilities: Tool
T1003.002: OS Credential Dumping: Security Account Manager
T1003.003: OS Credential Dumping: NTDS
T1003.004: OS Credential Dumping: LSA Secrets
T1566.001: Phishing: Spearphishing Attachment
T1055.012: Process Injection: Process Hollowing
T1090.002: Proxy: External Proxy
T1021.001: Remote Services: Remote Desktop Protocol
T1021.004: Remote Services: SSH
T1018: Remote System Discovery
T1053.005: Scheduled Task/Job: Scheduled Task
T1218.004: Signed Binary Proxy Execution: InstallUtil
T1553.002: Subvert Trust Controls: Code Signing
T1016: System Network Configuration Discovery
T1049: System Network Connections Discovery
T1199: Trusted Relationship
T1204.002: User Execution: Malicious File
T1078: Valid Accounts T1047: Windows Management Instrumentation