In this Article we have been passing through the detailed Attack Life Cycle of APT1 Cyber Espionage and highlighted the main techniques and tools used by APT1 for their Operations for 141 victims of 20 industries related to China’s strategic priorities. APT1’s parallel activities implies that the group has significant personnel and technical resources at its disposal.

The longest time period APT1 maintained access to a victim’s network was at least 1,764 days, or four years and ten months.

APT1 Data Theft

Product Development cycle and things necessary

manufacturing procedures

business plans

emails of high-ranking employees.

Largest APT1 data theft from a single organization: 6.5 Terabytes over 10 months.

APT1 has likely stolen hundreds of terabytes from its victims.

APT1: Attack Lifecycle

They begin with aggressive spear phishing.

1. The Initial Compromise

Methods intruders use to first penetrate a target organization’s network.

Spear phishing is APT1’s most commonly used technique. The spear phishing emails contain either a malicious attachment or a hyperlink to a malicious file which install backdoors.

What is Backdoor?

A backdoor is a method of bypassing normal authentication or securing remote access to a computer, while attempting to remain undetected. It allows attackers to gain unauthorized access to a system, network, or software application without going through the usual security mechanisms.

2. Establishing A Foothold

Actions that ensure control of the target network’s systems from outside the network.

APT1 establishes a foothold once email recipients open a malicious file, and a backdoor is subsequently installed. A backdoor is software that allows an intruder to send commands to the system remotely.

APT1 intruders occasionally use publicly available backdoors such as Poison Ivy and Gh0st RAT.

APT1’s beachhead backdoors are usually what we call WEBC2 backdoors.

Beachhead Backdoors

Simple tasks like retrieve files, gather basic system information and trigger the execution of other more significant capabilities backdoors.

WEBC2 backdoors typically give APT1 attackers a short and rudimentary set of commands to issue to victim systems, including:

» Open an interactive command shell (usually Windows’ cmd.exe)

» Download and execute a file

» Sleep (i.e. remain inactive) for a specified amount of time.

Standard Backdoors

The backdoors which

The BISCUIT backdoor (so named for the command “bdkzt”) is an illustrative example of the range of commands that APT1 has built into its “standard” backdoors.

The standard APT1 backdoor typically communicates using the HTTP protocol (to blend in with legitimate web traffic) or a custom protocol that the malware authors designed themselves.

Upload/download files

» Create/delete directories

» List/start/stop processes

» Modify the system registry

» Take screenshots of the user’s desktop

» Capture keystrokes

» Capture mouse movement

3. Privilege Escalation

Escalating privileges involves acquiring items (most often usernames and passwords) that will allow access to more resources within the network.

APT1 predominantly uses publicly available tools to dump password hashes from victim systems in order to obtain legitimate user credentials.

Publicly available privilege escalation tools that APT1 has used:

cachedump: This program extracts cached password hashes from a system’s registry.

fgdump: Windows password hash dumper

gsecdump: Obtains password hashes from the Windows registry, including the SAM file, cached domain credentials, and LSA secrets.

Mimikatz: A utility primarily used for dumping password hashes.

Password hash is a secure way to store passwords by converting them into a fixed-length string that’s hard to reverse, protecting user credentials from being easily compromised.

4. Internal Reconnaissance

In the Internal Reconnaissance stage, the intruder collects information about the victim environment.

APT1 primarily uses built-in operating system commands in batch script and then execute this file.

Batch scripts are a type of script used in Windows operating systems to automate tasks.

» Display the victim’s network configuration information

» List the services that have started on the victim system

» List currently running processes

» List accounts on the system

» List accounts with administrator privileges

» List current network connections

5. Lateral Movement

Once an APT intruder has a foothold inside the network and a set of legitimate credentials, it is simple for the intruder to move around the network undetected.

They can connect to shared resources on other systems.

APT1 uses the publicly available “psexec” tool from Microsoft Sysinternals or the built-in Windows Task Scheduler for Lateral movements.

How psexec and Task Scheduler are used for Lateral Movement!

Deploying Malware:

• Schedule malware or malicious scripts to run periodically or at specific times.

Data Exfiltration:

• Create tasks to collect and send data to external servers.

Establishing Persistence:

• Schedule tasks to run malicious payloads at system startup or user logon.

Spreading Malware:

• Deploy malware or scripts on other systems within the network.

Credential Harvesting:

• Schedule tasks to capture and collect user credentials.

Remote Command Execution:

• Create tasks to run remote commands or scripts on other systems.

Clearing Logs:

• Schedule tasks to delete or manipulate system and security logs.

Installing Additional Backdoors:

• Set up tasks to install or activate more backdoors.

Updating Malware:

• Schedule tasks to download and execute updated malware versions.

Network Reconnaissance:

• Create tasks for network scanning or discovery activities.

6. Maintain Presence

Intruder takes actions to ensure continued, long-term control over key systems in the network environment from outside of the network.

1. APT1 usually installs new backdoors
2. APT1 using stolen usernames and passwords to log into victim networks’ VPNs
3. APT1 intruders also attempt to log into web portals that the network offers like web pages shares internally.

7. Completing The Mission

APT1 finds files of interest they pack them into archive files before stealing them. APT intruders most commonly use the RAR archiving utility for this task, APT1 attackers will transfer files out of the network.

APT1 uses two email-stealing utilities which are follows:

1. GETMAIL, was designed specifically to extract email messages, attachments, and folders from within Microsoft Outlook archive (“PST”) files.
2. MAPIGET, was designed specifically to steal email that has not yet been archived and still resides on a Microsoft Exchange Server.