Target Package: APT 18

Posted on by Marcus Edmondson

Target Package: APT 18

Summary:

APT 18 is a threat group that has been in operation since at least 2009. A broad overview of how they operate consists of usually sending their victims a phishing email which will download a Remote Access Trojan (RAT). Some of their observed persistence mechanisms have been using registry run keys pointing to an executable that is in the user AppData\Roaming folder. They have also been known to use the Startup Folder and Windows services for persistence. In the past they have established their Command and Control channel over http, https and DNS. If two-factor authentication is not used they will try to rely on stolen credentials for access. This threat actor is skilled at using “Living Off The Land” techniques to laterally move and exfiltrate data from a victims environment. APT 18 has been known to use the AT task scheduler (at.exe) to schedule tasks to move laterally in an environment, but with their skilled use of “Living Off The Land” I wouldn’t be surprised if the use of Windows Management Instrumentation (WMI) or PowerShell is also used to gain access to other workstations and servers in the environment. 

Alternative Names:

  1. TG-0416
  2. Dynamite Panda
  3. Threat Group-0416
  4. Scandium
  5. Wekby Group

Tools:

  1. Gh0st RAT
  2. hcdLoader
  3. HTTPBrowser
  4. Pisloader

MITRE Tactics:

  1. T1070.001 – Application Layer Protocol: Web Protocols
  2. T1071.004 – Application Layer Protocol: DNS
  3. T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys/Startup
  4. T1059.003 – Command and Scripting Interpreter: Windows Command Shell
  5. T1133 – External Remote Services
  6. T1083 – File and Directory Discovery
  7. T1070.004 – Indicator Removal on Host: File Deletion
  8. T1105 – Ingress Tool Transfer
  9. T1027 – Obfuscated Files or Information
  10. T1053.002 – Scheduled Task/Job: At (Windows)
  11. T1082 – System Information Discovery
  12. T1078 – Valid Accounts

How To Detect With Sysmon and Elastic Stack:

I won’t being covering every single technique but this should be good to get an idea of how to craft your queries. Remember every environment is different so these queries may not be fine tuned enough to filter out noise in your specific environment. The main objective is to test your tools to see if they can detect this type of activity and then tune your environment accordingly.

  1. T1070.001 –
    1. Kibana Query: winlog.event_id:3 AND winlog.event_data.Image: “~c:\users\*” AND NOT (“~onedrive*” OR “~dism*”)
    2. In this query I am looking through all Sysmon Network Connection events for executables running from user space and filtering out onedrive and dismhost. The last part of the query could also be filtered out in your Sysmon Configuration (recommended) or at the Logstash server
  2. T1071.004
    1. Kibana Query: winlog.event_id:22 AND winlog.event_data.Image: “~c:\users\*” AND NOT (“~onedrive*” OR “~dism*”)
    2. In this query I am looking through all Sysmon DNS Query events for executables running from user space and filtering out onedrive and dismhost. The last part of the query could also be filtered out in your Sysmon Configuration (recommended) or at the Logstash server
  3. T1547.001
    1. Kibana query: winlog.event_id:1 AND winlog.event_data.Image: “~reg.exe” AND (winlog.event_data.ParentImage: “~C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” OR winlog.event_data.ParentImage: “~C:\Windows\System32\cmd.exe”)
    2. This query is looking through all my Sysmon Process Create events looking reg.exe being called from PowerShell or cmd.exe.
  4. T1083
    1. winlog.event_id:* AND (“dir” or “tree”)
    2. This isn’t the best query, it will be pretty noisy, but I was able to detect the technique with it.
  5. T1070.004
    1. Kibana query: winlog.event_id:* AND (“del” OR “rm”)
    2. Not a high fidelity query but it got the job done
  6. T1105
    1. Kibana query: (winlog.event_id:4104 AND winlog.event_data.ScriptBlockText: “~certutil”) OR (winlog.event_id:1 AND “certutil”)
    2. So this query is looking for Red Canary Atomic Test #7 for this particular tactic, which is downloading a remote file with certutil. I am looking for any scriptblock logs containing certutil or any Sysmon Process Create events using certutil.
  7. T1027
    1. Kibana query: winlog.event_id: 1 AND winlog.event_data.CommandLine: “~C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand”
    2. This query could be easily bypassed by changing some of the command, but for my purposes I was able to detect the test using it. From there you could do more correlation through the ProcessGuid.
  8. T1053.002
    1. Kibana query: winlog.event_id:1 AND winlog.event_data.Image: “~C:\Windows\System32\at.exe”
    2. In this query we are looking for Sysmon Process Creates with at.exe as the target image.
  9. T1082
    1. Kibana query: winlog.event_id:1 AND (winlog.event_data.Image: “~reg.exe” OR winlog.event_data.Image: “~C:\Windows\System32\systeminfo.exe”)
    2. In this query we are looking for Red Canary’s Atomic Test #2 for this tactic by looking for all Sysmon Process Creates looking specifically for reg.exe and systeminfo.exe.

Conclusion:

    This wraps up my first target package to profile a known APT group hopefully this post has been helpful. Until next time…

Happy Hunting, 

Marcus

References:

https://attack.mitre.org/groups/G0026/

https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

https://www.venafi.com/blog/infographic-how-an-attack-by-a-cyber-espionage-operator-bypassed-security-controls

https://unit42.paloaltonetworks.com/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

https://malpedia.caad.fkie.fraunhofer.de/actor/wekby

https://threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/

https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828/

https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html

https://www.secureworks.com/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Published by Marcus Edmondson

DFIR and threat hunting with PowerShell and Python are my passion. I love learning and researching new ways to find the adversary.