{ "id": "8b9f8026-2f96-402a-af64-ecfdeba4bef3", "created_at": "2026-04-06T00:10:15.062773Z", "updated_at": "2026-04-10T03:37:21.627561Z", "deleted_at": null, "sha1_hash": "f6cff6d784e3e436b59bb2eaa5e26feca32c3823", "title": "APT27 - One Year To Exfiltrate Them All: Intrusion In-Depth Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 106099, "plain_text": "APT27 - One Year To Exfiltrate Them All: Intrusion In-Depth\r\nAnalysis\r\nBy Intrinsec\r\nPublished: 2022-10-18 · Archived: 2026-04-05 14:33:29 UTC\r\n[et_pb_section fb_built=”1″ _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\n[et_pb_row _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column\r\ntype=”4_4″ _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_text\r\n_builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nContext\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″ text_font_size=”13px”]\r\nDuring 2022, a company discovered that one of their equipments was communicating with a known command and\r\ncontrol server. As a result, the company decided to contact CERT Intrinsec in order to get help to handle the\r\nsecurity breach and manage the crisis. CERT Intrinsec gathered information about malicious activities that were\r\ndiscovered on victim’s information system, and past incidents. Our in-depth analysis led us to conclude that an\r\nadvanced persistent threat dubbed APT27 (a.k.a LuckyMouse, EmissaryPanda) actually compromised the\r\ncompany’s internal network by exploiting a public facing application. Our analysis showed that the threat actor\r\nmanaged to compromise several different domains and to gain persistence on many equipments while trying to\r\nhide in plain sight. As investigations went on, we observed tactics, techniques and procedures that had already\r\nbeen documented in papers, but we discovered new ones as well. CERT Intrinsec wanted to share with the\r\ncommunity fresh and actionnable threat-intelligence related to APT27. That is why this report presents a timeline\r\nof actions taken by the attackers and the tactics, techniques and procedures seen during our incident response. It\r\nprovides as well a MITRE ATT\u0026CK diagram and several recommendations to follow if you came across such\r\nincident, and to prevent them.\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nCERT Intrinsec presentation\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nAPT27 Presentation\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″ header_font_size=”13px”\r\ntext_font_size=”13px”]\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 1 of 21\n\nCERT Intrinsec is a private French incident response team dealing between 50 to 100 major incidents per year and\r\nworks to help its customers to recover from cyber-attacks and strengthen their security. Since 2017, CERT\r\nIntrinsec has responded to hundreds of security breaches involving companies and public entities. The majority of\r\nthose incidents are related to cybercriminality and ransomware attacks with financial objectives, hence, Intrinsec\r\nfollows those groups activities and generates comprehensive intelligence `from the field`. ANSSI (French\r\nNational Security Agency) granted CERT Intrinsec PRIS (State-Certified Security Incident Response Service\r\nProviders) certification. The latter testify that CERT Intrinsec meets specific incident response requirements, using\r\ndedicated procedures, qualified people and appropriate infrastructures. Should you need our expertises, Intrinsec\r\nprovides Incident response \u0026 Crisis services, Threat Intelligence services \u0026 datas, Detection services\r\n(SOC/MDR/XDR), supported by a large set of other services (pentests \u0026 audits, consulting, …) .\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nAPT27 (a.k.a LuckyMouse, EmissaryPanda, Iron Tiger or Mustang Panda) is a supposed nation state cyber threat\r\nactor linked to RPC governement. Since at least 2010, the group has been reported targeting numerous public\r\norganisations as well as private companies. Known APT27 sectors of interest are: Defense contractors, Aerospace,\r\nTelecommunication, Energy, Manufacturing, Technology, Education and finally governement’s data (ambassies\r\nhas been reported targeted). The group is also well known for exploiting internet facing applications to get access\r\nwithin the victim’s networks. Known targeted application were MySQL, Microsoft SharePoint (CVE-2019-0604\r\nRCE), Apache Zookeeper and more recently Microsoft Exchange servers. In addition, the group is also known to\r\nrely on the HyperBRO malware, a Remote Access Trojan (RAT). Capabilities description and decryption tool are\r\navailable on behalf of the report.\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nOperation’s timeline\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nIt is important to look at the timeline of malicious activities. The first activity discovered was the exploitation of a\r\nMicrosoft Exchange server using ProxyLogon vulnerabilities chain and the domains discovery performed from\r\nthis server. APT27’s operators then compromised several domains in a few months, dumping credentials and\r\ngathering technical data about victim’s information system. Finally, they started exfiltrating data in archives using\r\ndifferent means. Gigabytes of data were exfiltrated in 17 days. Attackers tried to hide their activities using many\r\ndefense evasion techniques that we present to you in this report.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nThe following timeline shows the different steps of the operation, especially regarding domains compromise and\r\ndata exfiltration.\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 2 of 21\n\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2022/11/timeline_2.png\"\r\nalt=\"MITRE Timeline\" title_text=\"MITRE Timeline\" align=\"center\" _builder_version=\"4.18.0\"\r\n_module_preset=\"default\" global_colors_info=\"{}\"][/et_pb_image][et_pb_text _builder_version=\"4.20.4\"\r\n_module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" text_font_size=\"13px\"\r\nsticky_enabled=\"0\"]\r\nThe following diagram summarizes APT27 modus operandi during the attack. It emphasizes intrusion vector, data\r\nexfiltration as well as command and control activities.\r\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2022/10/attack_path_white_background.png\" alt=\"Attack Path\" title_text=\"attack path\"\r\nalign=\"center\" _builder_version=\"4.18.0\" _module_preset=\"default\" global_colors_info=\"{}\"][/et_pb_image]\r\n[et_pb_text _builder_version=\"4.18.0\" _module_preset=\"default\" global_colors_info=\"{}\"]\r\nAPT27 Techniques, Tactics and procedures\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\n Tactic ID Technique ID Technique Name\r\nInitial Access T1190 Exploit Public-Facing Application\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nInitial compromise is the adversaries actions performed to gain access of their target’s organisations. It can be\r\nperformed by sending spear-phishing email or exploiting vulnerable internet facing applications to, then, move\r\nwithin the network. During CERT Intrinsec investigations, we found that on March, 4th of 2021, APT27 exploited\r\nProxyLogon vulnerabilities chain affecting Microsoft Exchange server to gain initial access of the targeted\r\norganisation’s network. As a reminder, ProxyLogon related Microsoft advisory was initially published by\r\nMicrosoft on March, 2th of 2021. First known information related to those CVE came back from december 2020,\r\nwhen DEVCORE Team discovered both CVE-2021-26855 and CVE-2021-27065. The exploitation of these two\r\nvulnerabilities leads to remote code execution with SYSTEM permissions, allowing attackers to drop webshells,\r\nfor instance.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nSame initial intrusion date, also involving a successful ProxyShell exploitation as entry vector has been also\r\nreported by HVS-Consulting for one of their customer in their incident response report related to APT27. Many\r\nothers security vendors also reported active exploitation of Microsoft Exchange Server on that date. We can\r\nassume that the threat group was aware of the vulnerability before the Microsoft Advisory (or quickly developped\r\nan exploit) and managed to perform a massive exploitation campaign before companies had a chance to apply\r\nsecurity fixes.\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 3 of 21\n\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nExecution\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTactic ID Technique ID Technique Name\r\nExecution T1059.001 Command and Scripting Interpreter: PowerShell\r\nExecution T1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nExecution T1047 Windows Management Instrumentation\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”||||||||”\r\ntext_orientation=”justified” hover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px”\r\nsticky_enabled=”0″]\r\nAdversaries were wrapping their commands through calls to cmd.exe /Q /c command line. In addition, all results\r\nwere stored int the ADMIN$ administrative share, in a file of type __[UNIX_EPOCH_DATETIME]\r\nThis a likely the impacket’s behaviour and hence, Intrinsec CERT assumes that adversaries used that framework\r\nduring their operation.\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ background_layout=”dark” global_colors_info=”{}”]\r\nC:\\Windows\\System32\\cmd.exe(cmd.exe /Q /c powershell Add-MpPreference -ExclusionPath C:\\Windows\\temp\r\n1\u003e \\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261)\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nIn order to execute remote command, threat actors also relied on valid credentials collected in previous stages\r\nused wmic tool to execute commands on remote hosts.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nAs exemple, a command where attackers executed a script located in the recycle bin of a remote computer:\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ global_colors_info=”{}”]\r\ncmd.exe /Q /c wmic /node:[IP] /user:[DOMAIN]\\[ACCOUNT] /password:[PASSWORD] process call create cmd\r\n/c d:\\$recycle.bin\\2.bat\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 4 of 21\n\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nPersistence\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTactic Technique ID Technique Name\r\nPersistence T1569.002 Create or Modify System Process: Windows Service\r\nPersistence T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder\r\nPersistence T1112 Modify Registry\r\nPersistence T1078.002 Valid Accounts: Domain Accounts\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTypical next step after a successful initial intrusion is to ensure persistance within the target’s network and be sure\r\nthat attacker’s will not be kick-out easily.\r\nIt is commonly achieved by deploying webshells, Remote Access Trojan or Remote Administration Tool, such as\r\nAnyDesk / Teamviewer.\r\nFirst payload found by CERT Intrinsec was the HyperBRO Remote Access Trojan. HyperBRO malware is a\r\nclosed-sources application typical of APT27 threat group’s activities.\r\nHyperBRO is a fully featured Remote Access Trojan (RAT) and is used by APT27 operators to (not exaustive):\r\nBypass UAC\r\nExecute local \u0026 remote commands\r\nSteal data\r\nKeylogging\r\nCapture keyboard\r\nEdit registry\r\nManage files, process, services\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 5 of 21\n\nHyperBRO Malware description\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_orientation=”justified”\r\nglobal_colors_info=”{}”]\r\nHyperBro is a custom in-memory RAT backdoor used by APT27 and associated groups (Emissary Panda, Iron\r\nTiger, LuckyMouse…)\r\nOnce the HyperBro virus has infected a host, it’s used by APT27 to execute remote commands from it’s C2 server.\r\nHyperBro also includes features for taking screenshots, stealing clipboard content, modifying Windows services,\r\nediting the registry, and manipulating files (downloading and uploading, deleting, renaming).\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nDeployment\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_orientation=”justified”\r\nglobal_colors_info=”{}”]\r\nFirst, a legitimate program (linked to CyberArk software) (vfhost.exe  / msmpeng.exe) with a DLL side-loading\r\nvulnerability is used to load vftrace.dll (Initial loader / Stage 1).\r\nThen the loader will be able to decrypt thumb.dat (Stage 2) file, “encrypted” with a 1 byte key algorithm,\r\ndecompress it and finaly extract the actual HyperBro backdoor (Stage 3) (compressed with lznt1 algorithm).\r\nThe loader will then use the process hollowing technique to inject HyperBro backdoor (Stage 3)\r\nThe HyperBro backdoor configuration is embedded into its own PE. At its first execution, the configuration is\r\ncopied into the config.ini file and into the config_ registry key.\r\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2022/10/hyperbro_workflow.png\"\r\nalt=\"hyperbro workflow\" title_text=\"hyperbro workflow\" align=\"center\" _builder_version=\"4.18.0\"\r\n_module_preset=\"default\" global_colors_info=\"{}\"][/et_pb_image][et_pb_text _builder_version=\"4.18.0\"\r\n_module_preset=\"default\" global_colors_info=\"{}\"]\r\nKnown Paths\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” background_color=”#D6D6D6″\r\nglobal_colors_info=”{}”]\r\n%ProgramData%\\windefenders\\\r\n%ProgramData%\\windefenders\\config.ini\r\n%ProgramData%\\windefenders\\msmpeng.exe\r\n%ProgramData%\\windefenders\\thumb.dat\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 6 of 21\n\n%ProgramData%\\windefenders\\vftrace.dll\r\n%ProgramFiles%\\Common Files\\windefenders\\\r\n%ProgramFiles%\\Common Files\\windefenders\\config.ini\r\n%ProgramFiles%\\Common Files\\windefenders\\msmpeng.exe\r\n%ProgramFiles%\\Common Files\\windefenders\\thumb.dat\r\n%ProgramFiles%\\Common Files\\windefenders\\vftrace.dll\r\nSOFTWARE\\WOW6432Node\\Microsoft\\config_\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\windefenders\r\nSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\windefenders\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nHyperBRO Extractor\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nCERT Intrinsec made a tool to extract HyperBro configuration from Stage 2 samples.\r\nThis program is based on the work done on project HyperBroExtractor by HVS-Consulting \r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nDescription\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nThis tool is able to decrypt Stage 2 (thumb.dat), decompress and extract the actual hyperBro PE file(Stage 3), and\r\nparse the configuration it embeds.\r\nHyperExtractor will try to automatically bruteforce the 1 byte key and decrypt Stage 2, then it will decompress the\r\nLZNT1 compressed Stage 3 and extract the configuration.\r\nTo work with as many samples as possible, this program uses patterns scanning to find configurations.\r\nIn some cases the extraction of the configuration may fail but you can try to search for utf16 strings.\r\nNB: We have recently noticed that some new samples have some of their configuration fields encrypted or\r\nobfuscated and this tool will not be able to extract all of the configutation.\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 7 of 21\n\nUsage\r\n[/et_pb_text][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ global_colors_info=”{}”]\r\n-i input file (Stage2 e.g: thumb.dat)\r\n-o output file (extracted PE)\r\n.\\hyperbro_extractor.exe -i .\\samples\\thumb_dat.bin -o thumb_dat_extracted_pe.bin\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nOutput Example\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ global_colors_info=”{}”]\r\n /!\\ — HyperBro config extractor — /!\\\r\n [+] ==\u003e The decryption Key is: 0xfc\r\n /!\\ — Successfully exported PE to : thumb_dat_extracted_pe.bin — /!\\\r\n [-] HyperBro Configuration registry key: config\r\n [-] Legit loader: vfhost.exe\r\n [-] First stage: VFTRACE.DLL\r\n [-] Second stage: thumb.dat\r\n [-] Windows service name: vfhost\r\n [-] C2 address: 80.92.206[.]158\r\n [-] C2 Path: /api/v2/ajax\r\n [-] Verb: POST\r\n [-] Named Pipe: \\\\.\\pipe\\testpipe\r\n [-] Mutex: 80A85553-1E05-4323-B4F9-43A4396A4507\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nDiscovery \u0026 Lateral Movement\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 8 of 21\n\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTactic ID Technique ID Technique Name\r\nDiscovery T1087.002 Account Discovery: Domain Account\r\nDiscovery T1087.003 Account Discovery: Email Account\r\nDiscovery T1087.001 Account Discovery: Local Account\r\nDiscovery T1482 Domain Trust Discovery\r\nDiscovery T1083 File and Service Discovery\r\nDiscovery T1146 Network Service Discovery\r\nDiscovery T1135 Network Share Discovery\r\nDiscovery T1018 Remote System Discovery\r\nDiscovery T1082 System Information Discovery\r\nDiscovery T1057 Process Discovery\r\nLateral Movement T1570 Lateral Tool Transfer\r\nLateral Movement T1021.006 Remote Services: SMB Windows Admin Shares\r\nLateral Movement T1021.001 Remote Services: Remote Desktop Protocol\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 9 of 21\n\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nOnce access gained on the Microsoft Exchange server, adversaries managed to perform an initial reconnaissance\r\nof the network and domain caracteritics, such as hosts, account, policy enumeration.\r\nThis operation was performed by executing a script that lists all domains in the selected forest, related domain\r\ncontrollers, computer’s names and versions and finally list of domain’s users and save it into a file named\r\nowa_font_[2-letters].css in the directory C:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\ :\r\nBelow an exemple of data saved into the owa_font_[2-letters].css file:\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” background_color=”#D6D6D6″\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nMicrosoft (R) Windows Script Host Version 5.812\r\nCopyright (C) Microsoft Corporation. Tous droits réservés.\r\nAll Domains in the forest:\r\n   Domain_NAME\r\n********************************************************\r\n*                   Domain Controller                  *\r\n********************************************************\r\nCN=[REDACTED]-DC1                   DOMAIN\r\nCN=[REDACTED]-DC1                   DOMAIN\r\n********************************************************\r\n            Domain_NAME\r\n********************************************************\r\nHostname                      DNSHostName                                       OperatingSystem                                                    \r\n  Description\r\nHOST_A                          DNS_NAME                                                Windows Server                                             \r\n            [REDACTED]\r\n….\r\n   Domain Policy: Password will Expired in 90 Days\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 10 of 21\n\n********************************************************\r\n           Domain Admins \u0026 Enterprise Admins            \r\n********************************************************\r\n********************************************************\r\n                       All Users                        \r\n********************************************************\r\nkrbtgt\r\n   Display Name:\r\n   Password Last Set: [REDACTED]\r\n   Password Expired: [REDACTED]\r\n   Active: No\r\n   Last Logon:\r\n   Description: Compte de service du centre de distribution de clés\r\n   Member Of:\r\n   CN=Groupe de réplication dont le mot de passe RODC est refusé [REDACTED]\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nAdversaries also managed to extract all email addresses and associated users from the Exchange server.\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ global_colors_info=”{}”]\r\npowershell -exec bypass -command Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;Get-Mailbox | format-table Name,WindowsEmailAddress\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nIn order to perform internal reconnaissance, adversaries also relied on Windows built-in commands :\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ global_colors_info=”{}”]\r\nipconfig /all              \r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 11 of 21\n\nnet session                  \r\nnet share                  \r\nnet use                    \r\nnet use \\\\[IP]\\ipc$ /d /y\r\nnet use \\\\[IP]\\ipc$\r\nnet use \\\\[IP] /user:[DOMAIN]\\[ACCOUNT] [PASSWORD]\r\nnet user                    \r\nnet user [ACCOUNT] /domain  \r\nnet user [ACCOUNT]          \r\nnet view /all                \r\nnet view /domain\r\nnet view /domain:[DOMAIN]\r\nnet view\r\nnltest /domain_trusts        \r\nnslookup -type=srv _ldap._tcp  \r\nnslookup [IP]\r\nping -n 1 [IP]\r\nquery query user\r\nwhoami\r\ntasklist /svc  \r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nIn addition, they used Sysinternals tools PsLoggedon.exe to identify where specific users are logged in.\r\nThey also used Remote Desktop protocol, to connect to computers within the targeted organisation’s network, and\r\nadmin shares to move laterally.\r\nThe targeted organization was managing numerous domains. APT27 operators managed to compromised them\r\nsuccessively. a few months separated compromise of first domain and the second one. However, adversaries\r\naccelerated their operation and managed to get access to remaining domains in a few weeks interval.\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 12 of 21\n\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nCredential Access\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTactic ID Technique ID Technique Name\r\nCredential Access T1003.001 OS Credential Dumping: LSASS Memory\r\nCredential Access T1003.003 OS Credential Dumping: NTDS\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” header_font_size=”13px” sticky_enabled=”0″ text_font_size=”13px”]\r\nAdversaries managed to elevate their privileges to the domain administrator level within the victim’s network and\r\nsystematically compromised domain controller with HyperBro malware.\r\nIn order to stealth authentication materials on compromised hosts, adversaries relied on the mimikatz tool.\r\nHowever, they tried to stay stealthly and used the sysinternal’s procdump tool, renamed in error.log to bypass\r\nWindows Defender detection and dump lsass process memory :\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ global_colors_info=”{}”]\r\nC:\\Windows\\Temp\\error.log -accepteula -ma lsass.exe c:\\windows\\temp\\error.dmp\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nThreat actors also used SysInternal’s PsLoggedon tool to search for specific account usage. We especially seen\r\nthat threat actors were interested in backups related accounts usage.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\nsticky_enabled=”0″]\r\ncmd.exe /Q /c PsLoggedon.exe -accepteula [VEEAM_ACCOUNT] 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nOnce access gained on domain controllers, adversaries managed to extract and exfiltrate NTDS.DIT database.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 13 of 21\n\ntext_font_size=”14px” sticky_enabled=”0″]\r\nntdsutil ac i ntds ifm create full c:\\\\windows\\\\temp\\\\winstore\\\\  quit quit\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nOperators then create archive, named error.rar, containing NTDS database prior to exfiltrating it.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\ntext_font_size=”14px” sticky_enabled=”0″]\r\ncmd.exe /Q /c rar.exe a -r -y -[PASSWORD] -df c:\\windows\\temp\\error.rar c:\\windows\\temp\\winstore\\ 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nDefense Evasion\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTactic ID\r\nTechnique\r\nID\r\nTechnique Name\r\nDefense\r\nEvasion\r\nT1574.002 Hijack Execution Flow: DLL Side Loading\r\nDefense\r\nEvasion\r\nT1070.004 Indicator Removal on Host: File Deletion\r\nDefense\r\nEvasion\r\nT1036.004 Masquerading: Masquerade Task or Service\r\nDefense\r\nEvasion\r\nT1036.005 Masquerading: Match Legitimate Name or Location\r\nDefense\r\nEvasion\r\nT1562.001 Impair Defenses: Disable of Modify Tools\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 14 of 21\n\nDefense\r\nEvasion\r\nT1548.002\r\nAbuse Elevation Control Mechanism: Bypass User Account Control (UAC\r\nbypass using CMSTPLUA COM interface)\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTo prevent detection from Microsoft Windows Defender antivirus, APT27 operators modified system’s settings to\r\nadd exclusion path to the Defender’s configuration and remove it once their operations done.\r\nThey achieved that operation with the following command:\r\nThe commands below allow attackers to add and remove the C:\\windows\\temp directory to Windows Defender\r\nexcluded folders in order to try hiding in plain sight\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\ntext_font_size=”14px” sticky_enabled=”0″]\r\nC:\\Windows\\System32\\cmd.exe(cmd.exe /Q /c powershell Get-MpPreference -ExclusionPath C:\\Windows\\temp\r\n1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261)\r\nC:\\Windows\\System32\\cmd.exe(cmd.exe /Q /c powershell Add-MpPreference -ExclusionPath C:\\Windows\\temp\r\n1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261)\r\nC:\\Windows\\System32\\cmd.exe(cmd.exe /Q /c powershell Remove-MpPreference -ExclusionPath\r\nC:\\Windows\\temp 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261)\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nIn order to slow down investigations, attackers deleted their tools as well as the archives built during exfiltration\r\nphase. They use the following commands to do so.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\ntext_font_size=”14px” sticky_enabled=”0″]\r\ncmd.exe /Q /c del rar.exe error.log error1.rar error.dmp 1\u003e \\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME]\r\n2\u003e\u00261\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 15 of 21\n\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nCommand and Control\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTactic ID Technique ID Technique Name\r\nCommand and Control T1090.001 Proxy: Internal Proxy\r\nCommand and Control T1071.001 Application Layer Protocol: Web Protocols\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nAPT27 operators mainly used HyperBro C2 feature to send commands to infected hosts, using POST request\r\n/api/v2/ajax and user-agent Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/34.0.1847.116 Safari/537.36.\r\nCERT Intrinsec also discovered a second application used to expose the targeted organisation’s internal network to\r\nadversaries.\r\nThe application is a reverse SOCKS proxy written in GoLang called Chisel. It transports TCP/UDP traffic over\r\nSSH, which is encapsulated into HTTP.\r\nAPT27 operators executed Chisel using wmic and rename it to veeamGues.exe to hide it in plain sight. The\r\nfollowing command runs a server listening on port 9080 allowing clients to access the SOCKS5 proxy.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\ntext_font_size=”14px” sticky_enabled=”0″]\r\ncmd.exe /Q /c wmic /node:127.0.0.1 process call create cmd /c c:\\Windows\\Temp\\veeamGues.exe server -p 9080\r\n–socks5 1\u003e \\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261)\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nData Collection\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTactic ID Technique ID Technique Name\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 16 of 21\n\nCollection T1560.001 Archive Collected Data: Archive via Utility\r\nCollection T1114.001 Email Collection: Local Email collection\r\nCollection T1074.001 Data Staged : Local Data Staging\r\nCollection T1074.002 Data Staged: Remote Data Staging\r\nCollection T1005 Data from Local System\r\nCollection T1038 Data from Network Shared Drive\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nOnce APT27 operators have stolen credentials, they started the collection process by checking size and usage of\r\ndirectories. To do so, they used diruse command, as illustrated below.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\ntext_font_size=”14px” sticky_enabled=”0″]\r\ncmd.exe /Q /c wmic /node:127.0.0.1 process call create cmd /c D:\\$RECYCLE.BIN\\diruse.exe /m /* D:\\data \u003e\u003e\r\nD:\\$RECYCLE.BIN\\temD.txt 1\u003e \\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261)\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nOperators then browsed directories in order to find personal information and data related to research and\r\ndevelopment, leveraging dir command and wmic to look for files on network shares.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\ntext_font_size=”14px” sticky_enabled=”0″]\r\ncmd.exe /Q /c wmic /node:[IP_ADDRESS] /user:[DOMAIN]\\[USERNAME] /password:[PASSWORD] process\r\ncall create cmd /c dir [DIRECTORY] \u003e d:\\$recycle.bin\\1.txt 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 17 of 21\n\ncmd.exe /Q /c dir \\\\[IP_ADDRESS]\\Z$\\[DIRECTORY] 1\u003e\r\n\\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nOnce they found relevant data, they created password-protected archives using -t to test files after archiving, -inul\r\nto disable all messages, -hp to provide a password and -v to adjust size.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\ntext_font_size=”14px” sticky_enabled=”0″]\r\nwmic /node:[IP_ADDRESS] /user:[USER_ACCOUNT] /password:[PASSWORD] process call create “cmd /c\r\nc:\\temp\\rar.exe a c:\\temp\\temp.rar c:\\temp\\temp.dat -r -t -inul -hp[PASSWORD] -v[SIZE]\r\ncmd.exe /Q /c del rar.exe c:\\windows\\temp\\rar.exe a -r -y -inul -[PASSWORD] g:\\$recycle.bin\\error.rar [DRIVE]:\\\r\n[FOLDER]\\*.ppt* 1\u003e \\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261\r\nrar.exe a -r -y -hp[PASSWORD] -df error1.rar error.dmp error.log\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nBesides, APT27 operators collected data about mailboxes on the Exchange server, using Get-Mailbox powershell\r\ncommand, as shown below :\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_font=”Courier Prime||||||||”\r\ntext_text_color=”#FFFFFF” background_color=”#000000″ hover_enabled=”0″ global_colors_info=”{}”\r\ntext_font_size=”14px” sticky_enabled=”0″]\r\ncmd.exe /Q /c powershell -c Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;Get-Mailbox\r\n1\u003e \\\\127.0.0.1\\ADMIN$\\__[UNIX_EPOCH_DATETIME] 2\u003e\u00261)\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nExfiltration\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTactic ID Technique ID Technique Name\r\nExfiltration T1071.001 Application Layer Protocol: Web Protocols\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 18 of 21\n\nAttackers used different methods to exfiltrate data.\r\nFirst, archives containing stolen data were moved to the Exchange server,  in the Exchange folder C:\\Program\r\nFiles\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\, an easy way to\r\nexfiltrate data as this server had direct access to the Internet. These RAR archives  were renamed with a .png file\r\nextension to hide in plain sight and try to avoid detection. Attackers then deleted them. By investigating files and\r\nExchange server, CERT Intrinsec managed to carve some archives from disk images and retrieve passwords used\r\nto create the latter. It was then possible to know which data were exfiltrated by attackers.\r\nYou can see below archives’ names created by the attackers prior to exfiltrating.\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” background_color=”#D6D6D6″\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\n.\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\error1.png\r\n.\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\error2.png\r\n.\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\error3.png\r\n[…]\r\n.\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\error.part025.rar\r\n.\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\error.part026.rar\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nAttackers used HyperBro command and control server as well to exfiltrate WinRAR archives.\r\nMost of the exfiltration was carried out in 26 days and involve gigabytes of data, from 4 different domains.\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nAPT27 Intrusion Set\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nThe following diagram sums up APT27 techniques, tactics and procedures.\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 19 of 21\n\n[/et_pb_text][et_pb_image src=\"https://www.intrinsec.com/wp-content/uploads/2022/10/apt27_intrusion_set_en.drawio-601×1024.png\" alt=\"APT27 Intrusion Set\"\r\ntitle_text=\"APT27 Intrusion Set\" align=\"center\" _builder_version=\"4.18.0\" _module_preset=\"default\"\r\nglobal_colors_info=\"{}\"][/et_pb_image][et_pb_text _builder_version=\"4.18.0\" _module_preset=\"default\"\r\nglobal_colors_info=\"{}\"]\r\nLessons Learned\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” text_orientation=”justified”\r\nhover_enabled=”0″ global_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nTo prevent those types of attacks, CERT Intrinsec recommends monitoring network and endpoints activities.\r\nIndeed, supervising network equipments allows to track down malicious activities performed by advanced\r\npersistent threat, including command and control communications and exfiltration. Depending on your situations :\r\nXDR / MDR approaches combined with SOC and proper threat intelligence.\r\nEnsuring a proper log retention and storage is a good way to improve detection of malicious behaviour.\r\nHandling network, Active Directory hardening especially regarding trusts, and least privilege principle is very\r\nimportant to slow down attackers in the event of an intrusion.\r\nWhen compromising servers, particularly domain controllers, operators are used to execute commands to collect\r\ncredentials or to dump NTDS database. Very useful information sources are available on systems and need to be\r\nmonitored to spot attackers’ actions. These sources are Sysmon, that allows to log various events helping\r\ndetection, and Microsoft Protection Logs where many evidences were found during the investigation. CERT\r\nIntrinsec published an article about this artefact and a parser to extract useful informations from it. You can read\r\nthis article here.\r\nAs explained previously, adversaries can take advantage of a vulnerable exposed server to enter the corporate’s\r\nnetwork. That shows the importance of keeping public-facing equipments up-to-date and managing\r\nvulnerabilities (support at least by an external asset security monitoring approach to ensure a second line of\r\ndefense in complexe / fast evolving environment).\r\n[/et_pb_text][et_pb_text _builder_version=”4.18.0″ _module_preset=”default” global_colors_info=”{}”]\r\nExternal Resources\r\n[/et_pb_text][et_pb_text _builder_version=”4.20.4″ _module_preset=”default” hover_enabled=”0″\r\nglobal_colors_info=”{}” text_font_size=”13px” sticky_enabled=”0″]\r\nHFS-Consulting AG Incident Response Report\r\nBfV Cyber-Brief Nr. 01/2022\r\nPalo Alto Networks\r\nTrendMicro \r\n[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 20 of 21\n\nSource: https://www.intrinsec.com/apt27-analysis/\r\nhttps://www.intrinsec.com/apt27-analysis/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.intrinsec.com/apt27-analysis/" ], "report_names": [ "apt27-analysis" ], "threat_actors": [ { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-10T02:00:02.917311Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "BRONZE UNION", "Circle Typhoon", "Linen Typhoon", "TEMP.Hippo", "Budworm", "Lucky Mouse", "G0027", "GreedyTaotie", "Red Phoenix", "Iron Tiger", "Iron Taurus", "Earth Smilodon", "TG-3390", "EMISSARY PANDA", "Group 35", "ZipToken" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-10T02:00:03.64323Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-10T02:00:04.675765Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "236429ce-6355-43f6-9b58-e6803a1df3f4", "created_at": "2026-03-16T02:02:50.60344Z", "updated_at": "2026-04-10T02:00:03.641587Z", "deleted_at": null, "main_name": "Bronze Union", "aliases": [ "Circle Typhoon ", "Emissary Panda " ], "source_name": "Secureworks:Bronze Union", "tools": [ "China Chopper", "OwaAuth", "Sysupdate" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434215, "ts_updated_at": 1775792241, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f6cff6d784e3e436b59bb2eaa5e26feca32c3823.pdf", "text": "https://archive.orkl.eu/f6cff6d784e3e436b59bb2eaa5e26feca32c3823.txt", "img": "https://archive.orkl.eu/f6cff6d784e3e436b59bb2eaa5e26feca32c3823.jpg" } }