ATT&CK Group ID: G0045
Associated Groups: Stone Panda, APT10, Red Apollo, CVNX, HOGFISH, BRONZE RIVERSIDE
Objectives: menuPass is thought to be motivated by collection objectives that align with Chinese national interests.4 6 12 14 17 Their operational objective over time and across a diverse target set appears to be intellectual property theft.4 6 12 A 2018 indictment issued by the United States Department of Justice suggests at least a portion of the activity attributed to menuPass was carried out by two employees of Huaying Haitai Science and Technology Development Company.6 These individuals are believed to have been working at the behest of the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau.6 14 17 menuPass is reported to have been active since at least 2009 but may have been operating as early as 2006.6
Target Industries: The indicted menuPass actors were charged with one count each of conspiracy to commit computer intrusions.6 The document discloses two campaigns attributed to these actors. The first campaign is reported to have begun in 2006, and is thought to have been motivated by technology theft.6 These efforts were directed against NASA's Jet Propulsion Laboratory (JPL) and organizations in aviation, space, communications, manufacturing, maritime, oil and gas.6
The second campaign, is thought to have begun in 2014 and initially targeted Managed Service Providers (MSPs).6 The group targeted MSPs for the purpose of pivoting into MSP customer networks.6 This campaign resulted in the compromise of organizations in banking and finance, telecommunications, medical equipment, manufacturing, consulting, healthcare, biotechnology, automotive, oil, gas exploration, and mining.6
In addition to the two campaigns listed in the 2018 indictment, menuPass actors are reported to have targeted public and private sector entities in at least 12 other countries.1 4 5 6 8 9 10 11 12 13 Aside from targeting organizations based in the United States, the group is perhaps best known for its extensive and sustained efforts against Japanese institutions. menuPass actors are reported to have targeted public and private interests alike, to include public policy organizations, educational institutions, media, and technology firms.16
Researchers have suggested menuPass targeting may broadly align with China’s strategic objectives as stated in the Five-Year Plan (FYP) / Made in China 2025 Plan.4 menuPass is thought to have pursued these objectives over disparate but concurrent campaigns.4 6 12 From 2016 – 2018, menuPass actors are thought to have been engaged in operations directed against various MSPs, Japanese institutions, manufacturing companies in India and Europe, a mining company in South America, a U.S. based law firm, an international apparel company, and several other targets in Europe, the Middle East, and Africa.1 4 5 6 8 9 10 11 12 13
Operations: menuPass actors are reported to have pursued initial access by spearphishing to achieve user execution (T1204.002).1 6 8 9 11 15 16 20 21 menuPass spearphishing attempts generally assume a pretext that would be of interest to the intended target and are reported to have featured password protected Microsoft Word documents embedded with VBA macros (T1566.001), an executable attachment that exploits a vulnerability (T1566.001), or a link that points to a payload server (T1566.002).16 Once inside the target organization, menuPass actors have used a variety of open-source, modified open-source, and custom tools to perform discovery, escalate privileges, access credentials, move laterally, and exfiltrate data.
"Operation Cloud Hopper," was a long-term persistent effort to compromise MSPs with the intent of abusing trust relationships in order to pivot into customer networks.(T1199).4 5 6 7 10 12 menuPass actors are thought to have achieved initial access to MSP networks by spearphishing. From the MSP networks, menuPass actors are reported to have used legitimate but compromised local accounts (T1078.003) coupled with legitimate remote access applications (T1133) to access customer environments.4 5 6 7 10 12 From this initial point of presence, menuPass actors are reported to have used administrative tools native to the Windows environment to download an operational toolkit from an attacker controlled server. This toolkit enabled the pursuit of tactical objectives with the operational intent of exfiltrating intellectual property. This activity will serve as the basis for Scenario 1.
menuPass is also reported to have engaged in phishing campaigns, the most prolific of which were directed against Japanese institutions. Successful compromise resulted in the deployment of menuPass malware to the victim network and the establishment of command and control. menuPass malware has been categorized by the manner in which it was employed by menuPass actors and not necessarily by the malware's inherent functionality. PWC categorized menuPass malware as tactical or sustained.7 Tactical malware is usually deployed during delivery, or upon initial access, and is intended to perform lightweight tasks, such as discovery and execution.7 Sustained malware is often modular and has an enhanced set of features.7 Sustained malware is deployed to specific systems to facilitate a long-term point of presence.7 menuPass is reported to have leveraged the access facilitated by its malware to pursue operational objectives. This activity will serve as the basis for Scenario 2.
| Name | Associated Names | Availability | Emulation Notes |
|---|---|---|---|
| ChChes (S0144) | HAYMAKER, Scorpian | Custom | Has been injected using PowerSploit29 |
| EvilGrab (S0152) | Vidgrab, Grabber | Custom | Used to "grab" audio, video, and screenshots. Also capable of lightweight reconnaissance tasks7 |
| Koadic (S0250) | Publicly available | Delivered via phishing and used to download and execute ANEL16 | |
| RedLeaves (S0153) | BUGJUICE, Trochilus | Custom | Operates like publicly available Trochilus11 |
| SNUGRIDE (S0159) | Custom | Capable of lightweight tasks and persistence. Communicates over HTTP requests5 | |
| UPPERCUT (S0275) | ANEL | Custom | Often deployed via phishing9 |
| Name | Associated Names | Availability | Emulation Notes |
|---|---|---|---|
| Poison Ivy (S0012) | Darkmoon | Custom | menuPass is reported to have deployed Poison Ivy as early as 2009 and as recently as 20147 |
| PlugX (S0013) | SOGU | Custom | Typically deployed as a self-exttracting archive7 |
| QuasarRAT (S0262) | CinaRAT, Yggdrasil | Publicly available | A publicly available RAT typically deployed with a custom .NET loader7 |
menuPass actors have demonstrated a responsiveness to public reporting and an adaptability born of operational necessity.4 The group has also displayed an aptitude for defense evasion using techniques like DLL load order hijacking (T1574.001) and DLL side-loading (T1574.002) to achieve execution and bypass application whitelisting.4 5 7 10 11 16 18 19 When possible, menuPass actors have situated their malware in memory, used code-signing certificates (T1553.002), masqueraded files dropped to disk (T1036.005) and used encryption to evade host (T1027.002) and network-based defenses.
menuPass actors have persisted sustained malware by modifying the registry (T1547.001), scheduling tasks (T1053.005) and creating Windows services (T1543.003).4 5 7 8 The group is reported to have used legitimate but compromised credentials from MSP environments to impersonate elevated users in customer networks (T1078.003) and harvest additional credentials (T1003.001, T1003.002, T1003.003) using open-source tools like Mimikatz and Secretsdump. This credential access enables persistent presence within the environment as menuPass actors are reported to have used the compromised credentials (T1078.002, T1078.003) coupled with legitimate remote access tools like TeamViewer, to access target environments at will.12 Additionally, menuPass has deployed versions of the China Chopper web shell to internet accessible webservers to facilitate persistent access (T1505.003).
Once in the target environment, menuPass actors perform discovery to identify opportunities, while attempting to blend in, so as to minimize operational risk. The group has used tools indicative of routine administrative functions to move laterally. Systems of interest were accessed over RDP (T1021.001), by mounting network shares (T1570, T1021.002), or by using PsExec (S0029)(T1021.002, T1569.002). menuPass is reputed to have exfiltrated large volumes of data from its victims. After achieving enabling objectives, the group moved laterally to systems of interest in search of sensitive information. This data was staged (T1074.001) in multi-part archives (T1560.001) in the Recycle Bin for exfiltration. These archives were exfiltrated from the target environment using tools like Putty Secure Copy Client (PSCP) and Robocopy.
| Name | menuPass Name | Emulation Notes |
|---|---|---|
| BITSAdmin (S0190) | Transfer tools from C2 to C:\ProgramData\temp or C:\ProgramData\media10 | |
| certutil (S0160) | Used to download and decode b64 encoded files9 | |
| China Chopper (S0020) | iisstart.aspx | A China Chopper variant may have been deployed to a web server to maintain persistence10 |
| Csvde | Used to export data from active directory7 | |
| cURL | c.exe, CU.exe | Used to exfiltrate data from a network10 |
| esentutl (S0404) | Used to copy and delete files9 | |
| Impacket (S0357) | Atexec, psexec, and secretsdump are compiled using PyInstaller and employed during enabling objectives7 | |
| Koadic (S0250) | Delivered via spearphishing, has been used to download and execute ANEL16 | |
| Mimikatz (S0002) | Pd.exe, MSVCR100.dll | Repacked and/or compiled to DLL version executed via load order hijacking or sideloading10 |
| Nbtscan | Nbt.exe | Used to enumerate NetBIOS sessions7 |
| NetSess | Observed enumerating NetBIOS sessions during reconnaissance7 | |
| PowerSploit (S0194) | Discovery, lateral movement, and injected ChChes into PowerShell process29 | |
| PsExec (S0029) | Psexe.exe | Used to execute tools on a remote host7 |
| pwdump (S0006) | Consl64.exe | DLL containing repacked PwDump67 |
| Putty (PSCP) | Rundll32.exe | Used to exfiltrate data from a network7 |
| Tcping | Rund1132.exe | One of two files included in detect.vbs used to probe ports 445 and 33897 |
| Wmiexec | t.vbs | Dropped to C:\Recovery, C:\Intel, or C:\PerLogs7 |
| WinRAR | Svchost.exe, r.exe | Compressed files for exfil, named using repeating charaters e.g. ss.rar, pp.rar, dds.rar, gggg.rar7 |
The following behaviors are in scope for an emulation of actions attributed to menuPass in the referenced reporting.
The following behaviors are in scope for an emulation of actions performed by menuPass using ChChes, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by menuPass using Cobalt Strike, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by menuPass using EvilGrab, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by menuPass using Koadic, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by menuPass using PlugX, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by menuPass using PoisonIvy, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by menuPass using QuasarRAT, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by menuPass using RedLeaves, exclusively based on current intelligence within ATT&CK for the given software.
