Group description: TA459
quality 2/10 · low quality
0 net
TA459, Group G0062 | MITRE ATT&CK®
ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release.
Home
Groups
TA459
TA459
TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. [1]
ID: G0062
Contributors : Valerii Marchuk, Cybersecurity Help s.r.o.
Version : 1.1
Created: 18 April 2018
Last Modified: 25 April 2025
Version Permalink
Live Version
ATT&CK ® Navigator Layers
Enterprise Layer
download
view
Techniques Used
Domain
ID
Name
Use
Enterprise
T1059
.001
Command and Scripting Interpreter : PowerShell
TA459 has used PowerShell for execution of a payload. [1]
.005
Command and Scripting Interpreter : Visual Basic
TA459 has a VBScript for execution. [1]
Enterprise
T1203
Exploitation for Client Execution
TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution. [1]
Enterprise
T1566
.001
Phishing : Spearphishing Attachment
TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments. [1]
Enterprise
T1204
.002
User Execution : Malicious File
TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing. [1]
Software
ID
Name
References
Techniques
S0032
gh0st RAT
TA459 has used a Gh0st variant known as PCrat/Gh0st. [1]
Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter , Create or Modify System Process : Windows Service , Data Encoding : Standard Encoding , Deobfuscate/Decode Files or Information , Dynamic Resolution : Fast Flux DNS , Encrypted Channel : Symmetric Cryptography , Encrypted Channel , Hijack Execution Flow : DLL , Indicator Removal : Clear Windows Event Logs , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Modify Registry , Native API , Non-Application Layer Protocol , Process Discovery , Process Injection , Query Registry , Screen Capture , Shared Modules , System Binary Proxy Execution : Rundll32 , System Information Discovery , System Services : Service Execution
S0033
NetTraveler
[1]
Application Window Discovery , Input Capture : Keylogging
S0013
PlugX
[1]
Application Layer Protocol : Web Protocols , Application Layer Protocol : DNS , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Data Staged : Local Data Staging , Debugger Evasion , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Execution Guardrails : Mutual Exclusion , Exfiltration Over C2 Channel , File and Directory Discovery , Hide Artifacts : Hidden Files and Directories , Hide Artifacts : Hidden Window , Hijack Execution Flow : DLL , Impair Defenses : Disable or Modify System Firewall , Indicator Removal : Clear Persistence , Indicator Removal : File Deletion , Ingress Tool Transfer , Input Capture : Keylogging , Local Storage Discovery , Masquerading : Masquerade Task or Service , Masquerading : Match Legitimate Resource Name or Location , Modify Registry , Native API , Network Share Discovery , Non-Application Layer Protocol , Non-Standard Port , Obfuscated Files or Information : Binary Padding , Obfuscated Files or Information : Dynamic API Resolution , Obfuscated Files or Information , Obfuscated Files or Information : Encrypted/Encoded File , Peripheral Device Discovery , Process Discovery , Query Registry , Reflective Code Loading , Replication Through Removable Media , Scheduled Task/Job : Scheduled Task , Screen Capture , System Information Discovery , System Location Discovery , System Network Configuration Discovery , System Network Connections Discovery , System Owner/User Discovery , System Time Discovery , Trusted Developer Utilities Proxy Execution : MSBuild , User Execution : Malicious File , Virtualization/Sandbox Evasion : System Checks , Web Service : Dead Drop Resolver
S0230
ZeroT
[1]
Abuse Elevation Control Mechanism : Bypass User Account Control , Application Layer Protocol : Web Protocols , Create or Modify System Process : Windows Service , Data Obfuscation : Steganography , Deobfuscate/Decode Files or Information , Encrypted Channel : Symmetric Cryptography , Hijack Execution Flow : DLL , Ingress Tool Transfer , Obfuscated Files or Information : Junk Code Insertion , Obfuscated Files or Information : Software Packing , Obfuscated Files or Information : Encrypted/Encoded File , System Information Discovery , System Network Configuration Discovery
References
Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
×
load more results