|
| |
| |
| |
| |
| APT10(MenuPass, POTASSIUM, Stone Panda, Red Apollo, and CVNX) |
| |
| |
Overview
GHOSTR is a sophisticated and financially motivated cyber threat actor believed to have strong ties with China. The group’s activities have garnered significant attention due to their advanced tactics and high-profile targets. GHOSTR’s operations are marked by a combination of stealth, precision, and persistence, reflecting their expertise in executing large-scale cyberattacks. Their focus on extracting sensitive and valuable information underscores their primary objective: financial gain and strategic advantage.
Active on various underground platforms, including Breachforums.is, GHOSTR has made headlines by leaking substantial amounts of stolen data. One of their most notable breaches involved a confidential database from the World-Check, which contained 5.3 million records. In another significant incident, GHOSTR leaked approximately 186GB of data from a stock trading platform. These breaches highlight the group’s capability to compromise and exfiltrate large volumes of sensitive information, making them a formidable player in the cybercriminal landscape.
GHOSTR’s activities have extended to targeting individuals and organizations across multiple sectors. Their operations are characterized by a detailed and methodical approach to data theft, often involving the exploitation of advanced techniques and tools. By focusing on sectors that handle substantial amounts of sensitive data, such as financial services and trading platforms, GHOSTR positions itself as a major threat to data security and privacy on a global scale.
Common targets
Government, Military and Economic sectors
Attack Vectors
Social Engineering, Phishing, Malicious Downloads
How they operate
The operation begins with initial access, where GHOSTR uses spear-phishing campaigns and exploits zero-day vulnerabilities to gain entry into targeted networks. These spear-phishing emails are meticulously crafted to appear legitimate, often mimicking trusted entities to increase the likelihood of success. Once inside, GHOSTR deploys custom malware, including remote access Trojans (RATs) like PlugX and Poison Ivy, to establish a persistent foothold within the compromised environment. This malware enables the group to maintain control over the system, execute commands, and facilitate further malicious activities.
Privilege escalation is a critical phase in GHOSTR’s operations. After gaining initial access, the group employs various techniques to elevate their privileges within the network. This may involve exploiting software vulnerabilities or using stolen credentials to access higher-level accounts. With elevated privileges, GHOSTR can move laterally across the network, accessing additional systems and data repositories. This lateral movement is often achieved through methods such as credential theft and exploitation of network shares, allowing the group to expand their control and gather more sensitive information.
Data collection and exfiltration are central to GHOSTR’s operations. The group focuses on extracting valuable data, including personal, financial, and confidential business information. They employ encrypted channels and stealthy methods to exfiltrate this data from the compromised network, minimizing the risk of detection. The stolen data is often sold or leaked on underground forums, providing GHOSTR with financial gains or strategic advantages.
To maintain their operational security, GHOSTR employs various evasion techniques. They use encryption to protect their communications and data, and regularly update their tactics and tools to stay ahead of security defenses. The group also practices meticulous cleanup, removing traces of their activities to avoid detection and prolong their access to compromised systems.
MITRE Tactics and Techniques
Initial Access
T1071: Application Layer Protocol
T1193: Spear Phishing Link
T1192: Spear Phishing Attachment
Execution
T1059: Command and Scripting Interpreter
T1106: Native API
Persistence
T1547: Boot or Logon Autostart Execution
T1060: Registry Run Keys / Start Folder
Privilege Escalation
T1068: Exploitation for Privilege Escalation
T1078: Valid Accounts
Defense Evasion
T1027: Obfuscated Files or Information
T1070: Indicator Removal on Host
Credential Access
T1003: Credential Dumping
T1555: Credentials from Password Stores
Lateral Movement
T1021: Remote Services
T1075: Pass the Ticket
Collection
T1005: Data from Local System
T1025: Data from Information Repositories
Exfiltration
T1041: Exfiltration Over Command and Control Channel
T1048: Exfiltration Over Alternative Protocol
Impact
T1499: Endpoint Denial of Service
T1203: Exploitation for Client Execution
References:
