{"description": "Enterprise techniques used by APT37, ATT&CK group G0067 (v2.0)", "name": "APT37 (G0067)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.(Citation: Securelist ScarCruft May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[APT37](https://attack.mitre.org/groups/G0067) uses HTTPS to conceal C2 communications.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has used an audio capturing utility known as SOUNDWAVE that captures microphone input.(Citation: FireEye APT37 Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[APT37](https://attack.mitre.org/groups/G0067)'s has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has used Ruby scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has used the command-line interface.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[APT37](https://attack.mitre.org/groups/G0067) executes shellcode and a VBA script to decode Base64 strings.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has used Python scripts to execute payloads.(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.(Citation: FireEye APT37 Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has collected data from victims' local systems.(Citation: FireEye APT37 Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.002", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR).(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1189", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly.(Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Volexity InkySquid BLUELIGHT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has used exploits for Flash Player (CVE-2016-4117, CVE-2018-4878), Word (CVE-2017-0199), Internet Explorer (CVE-2020-1380 and CVE-2020-26411), and Microsoft Edge (CVE-2021-26411) for execution.(Citation: Securelist ScarCruft Jun 2016)(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Volexity InkySquid BLUELIGHT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has downloaded second stage malware from compromised websites.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid BLUELIGHT August 2021)(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has used Windows DDE for execution of commands and a malicious VBS.(Citation: Securelist ScarCruft Jun 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.001", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has signed its malware with an invalid digital certificates listed as \u201cTencent Technology (Shenzhen) Company Limited.\u201d(Citation: Securelist ScarCruft Jun 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[APT37](https://attack.mitre.org/groups/G0067) leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[APT37](https://attack.mitre.org/groups/G0067) obfuscates strings and payloads.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.003", "comment": "[APT37](https://attack.mitre.org/groups/G0067) uses steganography to send images to users that are embedded with shellcode.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices. (Citation: Securelist ScarCruft May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[APT37](https://attack.mitre.org/groups/G0067) delivers malware using spearphishing emails with malicious HWP attachments.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[APT37](https://attack.mitre.org/groups/G0067)'s Freenki malware lists running processes using the Microsoft Windows API.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[APT37](https://attack.mitre.org/groups/G0067) injects its malware variant, [ROKRAT](https://attack.mitre.org/software/S0240), into the cmd.exe process.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has created scheduled tasks to run malicious scripts on a compromised host.(Citation: Volexity InkySquid RokRAT August 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[APT37](https://attack.mitre.org/groups/G0067) collects the computer name, the BIOS model, and execution path.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[APT37](https://attack.mitre.org/groups/G0067) identifies the victim username.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has used malware that will issue the command shutdown /r /t 1 to reboot a system after wiping its MBR.(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[APT37](https://attack.mitre.org/groups/G0067) has sent spearphishing attachments attempting to get a user to open them.(Citation: FireEye APT37 Feb 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[APT37](https://attack.mitre.org/groups/G0067) leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.(Citation: FireEye APT37 Feb 2018)(Citation: Talos Group123)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by APT37", "color": "#66b1ff"}]}