← threatfilter.dev / all groups / menuPass
menuPass
Also known as: Cicada · POTASSIUM · Stone Panda · APT10 · Red Apollo · CVNX · HOGFISH · BRONZE RIVERSIDE
Overview
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company. menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.
Targets
Government · Private sector
Regions
Australia · Brazil · Canada · Finland · France · India · Japan · Norway · South Africa · South Korea · Sweden · Switzerland · Thailand · United Kingdom · United States
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 13 attributed custom malware families
TTPs — 46 techniques across 10 tactics
Initial Access
-
T1190Exploit Public-Facing Application -
T1199Trusted Relationship -
T1566.001Spearphishing Attachment
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1106Native API -
T1204.002Malicious File
Stealth
-
T1027.013Encrypted/Encoded File -
T1036Masquerading -
T1036.003Rename Legitimate Utilities -
T1036.005Match Legitimate Resource Name or Location -
T1055.012Process Hollowing -
T1070.003Clear Command History -
T1070.004File Deletion -
T1078Valid Accounts -
T1140Deobfuscate/Decode Files or Information -
T1218.004InstallUtil -
T1574.001DLL
Defense Impairment
-
T1553.002Code Signing
Credential Access
-
T1003.002Security Account Manager -
T1003.003NTDS -
T1003.004LSA Secrets
Discovery
-
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1046Network Service Discovery -
T1049System Network Connections Discovery -
T1083File and Directory Discovery -
T1087.002Domain Account
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.004SSH -
T1210Exploitation of Remote Services
Collection
-
T1005Data from Local System -
T1039Data from Network Shared Drive -
T1056.001Keylogging -
T1074.001Local Data Staging -
T1074.002Remote Data Staging -
T1119Automated Collection -
T1560Archive Collected Data -
T1560.001Archive via Utility
Command and Control
-
T1090.002External Proxy -
T1105Ingress Tool Transfer -
T1568.001Fast Flux DNS
Tools & malware (25)
certutil · FYAnti · UPPERCUT · SNUGRIDE · P8RAT · RedLeaves · SodaMaster · pwdump · Mimikatz · PlugX · Net · PowerSploit · ChChes · cmd · QuasarRAT · AdFind · Cobalt Strike · PoisonIvy · EvilGrab · esentutl · Impacket · Ecipekac · Ping · PsExec · HUI Loader
Reporting (3)
- BRONZE STARLIGHT RANSOMWARE OPERATIONS USE HUI LOADER — Counter Threat Unit Research Team
- Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign — Symantec
- United States of America v. Zhu Hua and Zhang Shilong — United States District Court Southern District of New York (USDC SDNY)