How APT groups operate at different stages of an attack

APT attacks pose a serious security threat not only to individual organizations but also to entire states, especially when initiated by professional cybercriminal groups. In this section, we'll take a closer look at the working processes of APT groups that have repeatedly targeted Southeast Asian organizations. We will describe APT group actions using the MITRE ATT&CK terminology. The most common tactics, techniques, and sub-techniques are illustrated with examples from recent publicly disclosed cybercampaigns.

Preparing resources for attacks

Before the phase of active intrusion, cybercriminals prepare the turf. This primarily involves creating the infrastructure needed to manage and control the attack (Acquire Infrastructure, Compromise Infrastructure). For example, the Earth Lusca group used compromised web servers (T1584.004) and rented virtual dedicated servers (T1583.003) from the provider Vultr to build infrastructure for a cybercampaign targeting numerous Asian organizations. The group registered domains (T1583.001) to create fake pages and host malicious payloads for watering hole attacks.

APT groups acquire various resources and tools needed for the attack (Obtain Capabilities). In addition to malware, these can include legitimate programs, both free and commercial. Some attackers modify publicly available tools to suit their needs. For instance, the APT10, Gallium, and GhostEmperor groups have modified a number of utilities to avoid detection by security tools. To disguise malware as legitimate software, cybercriminals acquire code signing certificates (T1588.003). For example, the Earth Krahang group used certificates issued by GlobalSign to sign XDealer loaders. Researchers at Trend Micro suggest these certificates might have been stolen from their legitimate owners. Criminals either steal certificates themselves or buy them on dark web forums.

Reconnaissance and initial attack vectors

During the reconnaissance stage, attackers try to gather as much information as possible about the target organization (Gather Victim Org Information) and its employees (Gather Victim Identity Information). To collect preliminary information about the victim, some groups, like Mustang Panda, APT32, and SideWinder, conduct phishing campaigns (Phishing for Information). For example, the SideWinder group sent emails with links leading to phishing sites to steal passwords. The stolen employee credentials could then be used for initial penetration into victim organizations (Valid Accounts).

The information gathered during reconnaissance can be useful for attackers when composing emails with malicious attachments or links. Phishing campaigns (Phishing) are the most common technique for initial access, used by 75% of the APT groups we studied.

Email headers and attachment names may reflect geopolitical themes, and phishing campaigns are often timed to coincide with significant events in the region. For example, the Mustang Panda group sends out emails related to ASEAN summits. In February 2022, in a campaign targeting Southeast Asian countries, the group used malicious attachments named "ASEAN Leaders' Meeting.exe". In March 2024, the group conducted phishing campaigns referencing the ASEAN-Australia Special Summit.

Table 1. Examples of phishing email attachments from APT groups attacking ASEAN countries

Some attackers conduct phishing campaigns using previously compromised email addresses or documents stolen from previous victims, significantly increasing the chances that malicious emails will be delivered and read. For example, the Earth Krahang group used the hacked email account of a government agency to send phishing emails to other countries' governments. The Mustang Panda group sent phishing emails to organizations in Myanmar using documents in Burmese as bait. Trend Micro experts suggest these documents might have been previously stolen from other Myanmar organizations.

The second most popular technique for gaining initial access is exploiting vulnerabilities in public-facing servers (Exploit Public-Facing Application). This technique is used by half of the APT groups attacking Southeast Asian countries. First, attackers conduct active network scanning (Active Scanning) to find potential entry points. The Earth Krahang group, targeting government organizations in Southeast Asia, uses a whole arsenal of tools for scanning: sqlmap, kernel, xray, vscan, pocsuite, and wordpressscan. Attackers perform recursive searches in .git and .idea directories, browse directories for files with paths or credentials (Т1595.003), and check subdomains to find interesting and potentially unmaintained servers with vulnerabilities (T1595.002). The APT41 group also uses various programs for active scanning. These include tools for brute forcing directories on web servers, the Nmap network scanner, the Acunetix vulnerability scanner, and the JexBoss tool for finding and exploiting vulnerabilities in Jboss and other Java applications.

One of the attack vectors for APT groups targeting Southeast Asia involves finding and exploiting unpatched Microsoft Exchange servers. The Microsoft Exchange mail server is used by hundreds of thousands of companies worldwide. Its popularity and accessibility from the internet make it an attractive target for attackers. At least 30% of APT groups targeting Southeast Asia exploit vulnerabilities in Exchange. In 2022, the APT group ToddyCat compromised several organizations in Asian countries by exploiting a chain of critical vulnerabilities in Microsoft Exchange, known collectively as ProxyLogon. In 2023, the Earth Lusca group attacked government agencies and telecommunications companies in Southeast Asian countries, exploiting the ProxyShell vulnerabilities in Microsoft Exchange.

A number of APT groups (30%) choose watering hole attacks as their initial vector. They place scripts on websites that silently download malicious programs onto the computers of visitors (Drive-by Compromise). As bait, attackers might use compromised relevant resources or create their own sites that mimic real pages frequently visited by potential victims. For example, in the summer of 2021, ESET specialists discovered that the Mustang Panda group had hacked the website of the Myanmar presidential office and embedded a Cobalt Strike loader in a font package available for download on the site's main page.

Gaining persistence in the victim's infrastructure

To maintain their presence in the victim's infrastructure, attackers must ensure that they retain access to the system even after a reboot or password change. Only then can they control the compromised environment and advance through the infrastructure in search of valuable information.

Three-quarters of APT groups maintain their presence in a compromised system by executing malicious code within the context of a legitimate process (Hijack Execution Flow). The two most popular methods are based on loading malicious dynamic link libraries (DLLs) in the context of legitimate applications. One-fifth of the groups use the sub-technique involving DLL search order hijacking in Windows (T1574.001). Attackers place a malicious library in a directory that the operating system checks before the one containing the legitimate DLL. Thus, when the application is launched, the malicious library is loaded instead of the legitimate one, allowing the attackers to execute their code on the victim's computer. Another popular approach involves attackers delivering a legitimate application and a malicious DLL to the victim's computer, placing them in the same directory, and then launching the application; thus, the malicious DLL is executed in the context of the legitimate process (T1574.002). This sub-technique doesn't rely on software installed within the infrastructure, making it very popular: 70% of the APT groups we studied use it. The Lancefly group is one of them. This group's Merdoor backdoor uses older versions of various legitimate programs, delivered in an SFX archive along with the loader and payload, to establish persistence.

Another common persistence technique involves using a task scheduler (Scheduled Task/Job). This allows malicious code to run each time the system starts or at scheduled intervals. Scheduled tasks can be created using the schtasks system utility. This technique is used by 75% of APT groups targeting Southeast Asian countries.

To maintain presence in the target environment, 65% of groups set up autostart programs (Boot or Logon Autostart Execution). They add malware to the Run registry key or the Startup folder (T1547.001), ensuring the malicious code executes every time the operating system starts. The Dark Pink and APT23 groups modify registry keys used by the Winlogon.exe component (T1547.004). It handles various events: system login, loading the user profile during authentication, shutdown, and lockout. Modifying the corresponding registry keys turns these events into triggers for malicious payload execution, ensuring persistence in the system. Cybercriminals can add new registry keys or modify existing ones to install malware as print processors (T1547.012). Print processors are DLLs loaded by the print spooler (spoolsv.exe) during startup. This persistence method is used by the Earth Lusca and Gelsemium groups.

To maintain persistence in the victim's infrastructure, attackers can install malware as a service (Create or Modify System Process). In Windows, services run through the svchost.exe process, which provides them access to host resources. Services can be configured to run malicious code at specific times to ensure continuous presence. APT groups targeting Southeast Asian countries frequently hide malicious services behind the svchost.exe process. As a result, the attackers obtain a running process persisting through a service, enabling further development of the attack. This technique is used by 65% of the APT groups studied.

Attackers may use various combinations of persistence techniques. In attacks on Southeast Asian governments from Q2 2021 to Q3 2023, the Mustang Panda group used the multi-component Trojan ToneShell. The component designed for persistence tasks consists of DLL files. They were embedded in the context of PwmTower.exe—a component of Trend Micro's Password Manager program. Then, depending on privileges, a malicious service named DISMsrv and scheduled tasks or registry keys for autostart and scheduled tasks were created to establish persistence. After achieving persistence, the group loaded the next component of the Trojan, which is responsible for establishing network connections.

Credential harvesting

As soon as attackers gain system privileges on a compromised host, they try to collect as many credentials as possible. Compromised accounts allow attackers to masquerade as legitimate users, making them difficult to detect. Additionally, the same passwords may be used to access different resources, facilitating lateral movement within the perimeter.

The most commonly used technique for obtaining credentials is extracting them from the memory of system components (OS Credential Dumping), used by 65% of APT groups. Here are the main sources the APT groups we studied use to search for credentials in Windows:

• lsass.exe process memory (T1003.001). Responsible for authenticating users during system login and enforcing security policies. Passwords are extracted from lsass memory by 45% of APT groups. For this purpose, public tools such as Mimikatz, ProcDump, and LaZagne are frequently used.
• Security Account Manager database (SAM) (T1003.002). It stores local user credentials in the form of hash values. Credential extraction from the SAM database is practiced by 35% of APT groups. For example, in cybercampaigns targeting Southeast Asian governments in 2022 and 2023, the Gallium group created scheduled tasks that ran scripts with commands to extract credentials from the SAM registry hive using the reg.exe utility.
• NTDS database (T1003.003). Some groups (15%) extracted accounts from the NTDS.dit database file, which stores Active Directory information, including password hash values of all domain users. To do this, attackers used the system utilities ntdsutil and vssadmin. For example, the Mustang Panda group makes a shadow copy of the volume on the domain controller and extracts from it the NTDS.dit file and the key to decrypt it.

A third of APT groups (35%) intercept data that the victim enters on a compromised device (Input Capture). For this purpose, they use keyloggers—malware that intercepts keystrokes. Keyloggers are in the arsenal of many groups, such as APT10, APT41, Lancefly, and Mustang Panda.

Some groups extracted credentials from specialized storage locations (Credentials From Password Stores). Since web browsers have built-in password stores, a number of APT groups use tools to extract credentials from these stores (T1555.003). For example, for this purpose the Earth Estries group uses the TrillClient stealer, while APT41 uses the BrowserGhost utility. The Goblin Panda group has the ChromePass tool in its arsenal, which steals saved passwords from Chromium-based browsers. The program collects credentials in an HTML document containing a table with addresses, usernames, and passwords.

A quarter of APT groups search for unsecured or poorly protected credentials (Unsecured Credentials). They can browse user files on the hard drive in search of saved logins and passwords (T1552.001). For example, the APT41 group searched for strings in files using the keywords "user" and "password".

Investigating the corporate infrastructure

Attackers try to understand how the environment they've entered operates. To gather information, attackers often use tools included in the operating system. This minimizes any traces of activity, masks their actions, and cuts the cost of developing custom software.

Cybercriminals try to gather as much information as possible about the compromised system (System Information Discovery). The systeminfo utility can be used to collect system information. This is a built-in Windows utility that provides detailed information about the operating system and BIOS configuration, as well as hardware specifications. It is used by the groups Naikon, Mustang Panda, and GhostEmperor.

Most (80%) APT groups seek to identify users of compromised hosts (System Owner/User Discovery). This information can be used to escalate privileges or advance through the infrastructure. The whoami utility is often used to gather information about the current user, including their group and privileges. For example, it is used by groups such as APT32, APT41, Dark Pink, Earth Lusca, and Gelsemium.

Attackers gather information about the network configuration (System Network Configuration Discovery) and active network connections of the compromised host (System Network Connections Discovery). This information is needed for further advancement in the infrastructure and to maintain communication with the command server. At this stage, network diagnostic utilities such as ping, ipconfig, arp, netstat may be used. They are used by groups like Mustang Panda, APT32, APT41, Gallium, Naikon, Earth Lusca, and others.

Attackers explore files and directories on compromised hosts (File and Directory Discovery) to understand the infrastructure and find valuable information, such as credentials or confidential documents. The SideWinder group conducted a cybercampaign from June to November 2021, targeting government, financial, and telecommunications organizations in Myanmar. Using the infostealer SideWinder.StealerPy, the group searched for files with extensions corresponding to office documents and images, and obtained a list of directories and files from the desktop.

More than half (60%) of APT groups study the processes running on the host (Process Discovery). This information is needed to understand the environment, including installed security tools. For example, the Gelsemium group's trojan checks the list of running processes for the presence of security tools from a predefined list. In Windows, there are several ways to get a list of running processes. For example, the groups Mustang Panda, ToddyCat, Earth Lusca, and Naikon use the tasklist command. APT23 and GhostEmperor obtained the list of running processes using the PsList utility from Sysinternals' PsTools suite.

APT groups may use custom-developed software to collect information. For example, the Mustang Panda group's trojan Hodur (a variant of PlugX) collects detailed system information: uptime, Windows version, CPU clock speed, RAM size, and screen resolution. Additionally, the trojan can obtain the current user's name, the host's name, and its IP address.

Collecting valuable information

An important stage for attackers is collecting information valuable for cyberespionage. Sources of valuable information include local files on employees' workstations, browsers, email, shared network storage, cloud storage, and code repositories.

More than half (65%) of groups search for the information of interest in local files on compromised devices (Data from Local System). Cybercriminals can search for data in various sources. For example, the Dark Pink group collected files from web browsers, while APT41 collected from the Windows Volume Shadow Copy Service and the logging system.

Attackers take screenshots (Screen Capture) and intercept data entered by the victim (Input Capture). Often, both techniques are implemented using the same software tools. For example, the Gallium group used the trojan Quasar in a cyberattack on government organizations in one Southeast Asian country, which has keylogging and screen recording functions. Similarly, the Earth Estries group used the HemiGate backdoor, which implements both functions.

Attackers can automate data collection using scripts that search for and copy the necessary information (Automated Collection). In 2023, the ToddyCat group conducted a cybercampaign targeting a government organization in Malaysia. Using a PowerShell script that ran in a scheduled task, the attackers found user documents and saved them in a temporary directory. Automated data collection can be performed using malware functionality.

Some APT groups (45%) place collected data in one directory before exfiltrating it (Data Staged). Such storage can be the Recycle Bin, a directory unpopular among regular users, or other local or remote locations. This allows attackers to keep stolen files out of the victim's sight.

Most groups (75%) archive or encrypt collected data (Archive Collected Data). Compressing data allows attackers to transmit the collected information much faster. Usually, the victims' devices already have the necessary software for this, such as WinRAR, 7z, or tar. Many groups use these utilities, including APT41, Earth Estries, GhostEmperor, Lancefly, Mustang Panda, and ToddyCat (T1560.001). Coding and encryption of information is carried out in order to hide stolen data. For example, the Sharp Panda group encrypted collected information using the RC4 algorithm and converted it to Base64 format.

Interacting with the C&C server

The ability to exchange data with compromised devices within the network and transmit stolen information externally is one of the factors determining a successful outcome of an APT attack (for attackers that is). Usually, attackers configure multiple channels to interact with the command server. It's crucial for attackers that these network connections remain undetected by security tools, such as network traffic analyzers.

A common strategy is to mix malicious traffic with legitimate traffic. Attackers prefer to use application layer protocols (Application Layer Protocol). Primarily, the HTTP(S) protocol (T1071.001), used by 85% of APT groups. In addition to HTTP(S), 25% of groups use the DNS protocol (T1071.004) for communication with the command server.

At the same time, 55% of APT groups use lower-level protocols in the OSI model than the application layer (Non-Application Layer Protocol). For example, the SmileSvr backdoor of the APT23 group communicates with the command server using the ICMP protocol. The MgBot backdoor of the Evasive Panda group interacts with the command server using UDP and TCP protocols. Some malware supports protocols at different levels. For instance, the Lancefly group's Merdoor backdoor can receive commands via HTTP, HTTPS, DNS, UDP, and TCP protocols.

Every second APT group uses non-standard ports (Non-Standard Port). For example, the backdoors of the SideWinder group established connections on ports 41236, 47896, 45632, 45689, 8087, 8090.

After establishing themselves in the compromised environment, attackers can download additional tools from outside (Ingress Tool Transfer). This occurs both through the communication channel with the command server and through alternative methods. For example, the APT41 group used Cobalt Strike to download additional files onto compromised devices. In the "Arsenal of APT groups" section, we'll discuss some other tools used by cybercriminals to load their files into the victim's infrastructure.

Exfiltration of stolen data

Most APT groups upload stolen data through the communication channel with the command server (Exfiltration Over C2 Channel) or via legitimate web services (Exfiltration Over Web Service). For example, the Dark Pink group used Telegram and Dropbox to transfer stolen data in their attacks on Southeast Asian countries at the end of 2022 (T1567.002). Later, in attacks on organizations in the Asia-Pacific region, including Vietnam, Thailand, and Indonesia, this same group transferred stolen data using webhook.site—a free platform for testing and debugging incoming HTTP requests and emails. The attackers used this service to generate temporary addresses and receive webhooks, through which they transmitted stolen confidential data (T1567.004). Transferring stolen information through the webhook mechanism allows attackers to disguise data exfiltration as legitimate traffic. The Earth Estries group uploaded stolen data to anonymous file-sharing services AnonFiles In 2023, the service was shut down due to cybercriminals abusing it as a platform for exfiltrating stolen data. and File.io using the Curl utility (T1567.003).

Every fifth group exfiltrates stolen information using alternative protocols (Exfiltration Over Alternative Protocol). Alternative protocols include any network protocols not used for communication with the command server. Attackers can encrypt data transmitted through alternative channels.

Cybercriminals can automate data exfiltration from a compromised infrastructure (Automated Exfiltration). For example, the SideWinder group's info-stealer can automatically send collected data to a special email address or another network resource controlled by the attackers.

Evasion techniques

APT groups have numerous techniques to bypass security mechanisms and hide malicious activities. Attackers try to make executable files difficult to detect and analyze by compressing, encoding, encrypting, and obfuscating the malicious code (Obfuscated Files or Information). This is the most common technique, used by 95% of APT groups. A significant portion of groups (45%) use specialized tools to obfuscate code and prevent analysis (T1027.002). Such tools include packers and protectors, as well as commercial software designed to protect against reverse engineering. Some groups, like Mustang Panda, Gelsemium, APT32, APT40, and APT41, add "garbage" code to their malware to complicate analysis by antivirus tools (T1027.001).

Almost all APT groups (90%) targeting Southeast Asia disguise their activities as legitimate operations, processes, files, and commands (Masquerading). Most groups (70%) use names for malware that are partially or fully identical to legitimate file names and place them in non-suspicious directories, like the System32 directory (T1036.005). More than half (55%) of the groups disguise malware as Windows system services (T1036.004). In one of its operations against military organizations in Southeast Asian countries, the Naikon group disguised malware as executable files from Google Chrome, Adobe, and VMware. For malicious services and scheduled tasks, the group used names resembling or completely copying legitimate service names; for example, they named a malicious service "taskmgr" to pass it off as Task Manager. In one of its large-scale cybercampaigns targeting Asian organizations, the SideWinder group disguised Trojans as the Windows Defender antivirus and hid tasks in the task scheduler under names like WindowSecurityPatch, CloudAPIManager, WindowsUpdate, WindowHost. At the initial penetration stage, the group used a decoy file named Wang_Yi_Statement_to_Defeat_COVID19.pdf.lnk in phishing emails. This is an LNK loader mimicking a PDF document. Thirty percent of APT groups targeting Southeast Asia use double extensions to disguise malicious files (T1036.007).

We previously mentioned that many APT groups use the Hijack Execution Flow technique to persist in the system. In addition, 85% of groups use this technique to bypass security tools and remain in the victim's infrastructure as long as possible. For example, the Earth Estries group used old versions of legitimate programs to implement the DLL Side-Loading sub-technique.

Most APT groups complicate the work of cybersecurity specialists by hiding or erasing traces of activity (Indicator Removal): they delete their files and programs (T1070.004), modify timestamps on malicious files (T1070.006), clear event logs (T1070.001), and erase command execution history (T1070.003). For example, the APT23 group has a custom tool for clearing event logs on a compromised computer. Cybercriminals may destroy any artifacts that provide evidence of their presence in the system; they delete malicious services and previously created accounts, and reverse registry changes (T1070.009).