APT 10, a state-sponsored Chinese threat group, conducting a global cyber espionage operation

For a detailed advisory, download the pdf file here

A Chinese state-sponsored advanced persistent threat APT 10 group has been attacking government, legal, religious entities and non-governmental organizations (NGOs) around the world in what appears to be an espionage campaign that has been underway for several months.

The actor gained initial access by exploiting unpatched Microsoft Exchange Server vulnerabilities, and the attacker then distributed a variety of tools, including a custom loader and the Sodamaster backdoor. The backdoor is a fileless virus that may avoid detection in a sandbox by looking for a registry key or postponing execution; enumerating the username, hostname, and operating system of targeted computers; searching for running processes; and downloading and executing additional payloads. It may also obfuscate and encrypt traffic it delivers back to its command-and-control (C&C) server. The attackers are also seen stealing credentials, including using a custom-made Mimikatz loader. This version of Mimikatz includes mimilib.dll, which allows it to retrieve credentials in plain text for each user who connects to the compromised host and maintains persistence over reboots.

The Mitre TTPs commonly used by APT 10 are:

TA0042: Resource Development       TA0001: Initial Access       TA0002: Execution       TA0003: Persistence       TA0004: Privilege Escalation       TA0005: Defense Evasion       TA0006: Credential Access       TA0007: Discovery       TA0008: Lateral Movement       TA0009: Collection       TA0011: Command and ControlTA0010: Exfiltration T1087.002: Account Discovery: Domain AccountT1583.001: Acquire Infrastructure: DomainsT1560: Archive Collected DataT1560.001: Archive via UtilityT1119: Automated CollectionT1059.001: Command and Scripting Interpreter: PowerShellT1059.003: Command and Scripting Interpreter: Windows Command ShellT1005: Data from Local SystemT1039: Data from Network Shared DriveT1074.001: Data Staged: Local Data StagingT1074.002: Data Staged: Remote Data StagingT1140: Deobfuscate/Decode Files or InformationT1568.001: Dynamic Resolution: Fast Flux DNST1190: Exploit Public-Facing ApplicationT1210: Exploitation of Remote ServicesT1083: File and Directory DiscoveryT1574.001: Hijack Execution Flow: DLL Search Order HijackingT1574.002: Hijack Execution Flow: DLL Side-LoadingT1070.003: Indicator Removal on Host: Clear Command HistoryT1070.004: Indicator Removal on Host: File DeletionT1105: Ingress Tool TransferT1056.001: Input Capture: KeyloggingT1036: MasqueradingT1036.003: Rename System UtilitiesT1036.005: Match Legitimate Name or LocationT1106: Native APIT1046: Network Service ScanningT1027: Obfuscated Files or InformationT1588.002: Obtain Capabilities: ToolT1003.002: OS Credential Dumping: Security Account ManagerT1003.003: OS Credential Dumping: NTDST1003.004: OS Credential Dumping: LSA SecretsT1566.001: Phishing: Spearphishing AttachmentT1055.012: Process Injection: Process HollowingT1090.002: Proxy: External ProxyT1021.001: Remote Services: Remote Desktop ProtocolT1021.004: Remote Services: SSHT1018: Remote System DiscoveryT1053.005: Scheduled Task/Job: Scheduled TaskT1218.004: Signed Binary Proxy Execution: InstallUtilT1553.002: Subvert Trust Controls: Code SigningT1016: System Network Configuration DiscoveryT1049: System Network Connections DiscoveryT1199: Trusted RelationshipT1204.002: User Execution: Malicious FileT1078: Valid Accounts T1047: Windows Management Instrumentation

Actor Detail

Indicators of Compromise (IoCs)

References