Velvet Ant group | |
Location | China |
Date of initial activity | 2024 |
Suspected Attribution | State-Sponsored Threat Group |
Government Affiliation | Yes |
Motivation | Espionage |
Associated Tools | Cobalt Strike |
Software | Windows |
Overview
Taiwan- Information
Attack vectors
Software Vulnerabilities
How they operate
At the core of Velvet Ant’s operations is their utilization of tools such as Cobalt Strike and Empire, which serve as the backbone of their command and control (C2) infrastructure. Cobalt Strike, a popular penetration testing tool, is repurposed by the group to establish and maintain control over compromised systems. Its features, including beacons for persistent communication and payload delivery, make it a versatile instrument for executing commands and facilitating lateral movement within a network. Similarly, Empire provides a robust framework for post-exploitation activities, allowing Velvet Ant to execute commands, gather information, and maintain access through various C2 channels.
Credential theft and exploitation are central to Velvet Ant’s strategy, with tools like Mimikatz playing a crucial role. Mimikatz is employed to extract sensitive credentials from memory, including plaintext passwords and Kerberos tickets. This capability allows Velvet Ant to escalate privileges and navigate through the network with greater ease. Additionally, the group makes use of PowerShell scripts to perform a range of malicious activities. These scripts are designed to exploit PowerShell’s powerful features for tasks such as data collection, payload execution, and lateral movement, further augmenting their ability to control and exfiltrate data from compromised systems.
The Velvet Ant group also leverages custom Remote Access Trojans (RATs) and publicly available tools to establish persistent access and maintain control over infected systems. Tools like njRAT or DarkComet provide the group with the ability to remotely administer compromised machines, execute commands, and gather intelligence. For data exfiltration, Velvet Ant utilizes tools such as Rclone, which facilitates the transfer of data to cloud storage services, thereby circumventing traditional data exfiltration defenses.
The group’s technical operations reflect a sophisticated understanding of both the tools at their disposal and the vulnerabilities they exploit. By combining advanced malware, credential dumping techniques, and custom scripts, Velvet Ant demonstrates a high level of adaptability and efficiency in their cyber activities. Their ability to operate stealthily and adapt their methods to overcome security measures underscores the ongoing challenge posed by advanced persistent threats in the cyber landscape. As Velvet Ant continues to evolve and refine their tactics, maintaining vigilance and adopting robust security measures remains essential for defending against such sophisticated threats.
MITRE Tactics and Techniques
Initial Access:
T1133 – External Remote Services: Exploitation of external services to gain initial access to a network.
Execution:
T1047 – Windows Management Instrumentation (WMI): Utilization of WMI for executing malicious commands or scripts.
T1059.008 – Command and Scripting Interpreter: Network Device CLI: Use of network device command-line interfaces to execute commands.
T1569.002 – System Services: Service Execution: Exploitation of system services for executing commands or payloads.
Persistence:
T1037.004 – Boot or Logon Initialization Scripts: RC Scripts: Use of boot or logon initialization scripts to maintain persistence.
T1133 – External Remote Services: Reuse of external remote services for ongoing access.
T1078.002 – Valid Accounts: Domain Accounts: Use of valid domain accounts for persistence.
T1078.003 – Valid Accounts: Local Accounts: Use of valid local accounts for maintaining access.
Privilege Escalation:
T1078.002 – Valid Accounts: Domain Accounts: Exploitation of domain accounts for elevated privileges.
Defense Evasion:
T1574.001 – Hijack Execution Flow: DLL Search Order Hijacking: Manipulation of DLL search order to evade detection.
T1562.004 – Impair Defenses: Disable or Modify System Firewall: Alteration of firewall settings to bypass defenses.
T1055 – Process Injection: Injection of malicious code into legitimate processes to evade detection.
T1070.006 – Indicator Removal: Timestomp: Modification of file timestamps to obscure evidence of malicious activity.
T1036.005 – Masquerading: Match Legitimate Name or Location: Masking malicious files or processes as legitimate entities.
Credential Access:
T1003.001 – OS Credential Dumping: LSASS Memory: Extraction of credentials from LSASS memory.
Discovery:
T1087.002 – Account Discovery: Domain Account: Identification of domain accounts within the network.
T1083 – File and Directory Discovery: Enumeration of files and directories to gather information.
T1135 – Network Share Discovery: Discovery of network shares for accessing additional resources.
T1018 – Remote System Discovery: Identification of remote systems within the network.
T1082 – System Information Discovery: Collection of system information to aid in further attacks.
T1016 – System Network Configuration Discovery: Gathering information on network configuration.
T1040 – Network Sniffing: Capturing network traffic to gather data.
Lateral Movement:
T1021.002 – Remote Services: SMB/Windows Admin Shares: Use of SMB/Windows Admin Shares for lateral movement.
T1021.004 – Remote Services: SSH: Utilization of SSH for moving laterally within the network.
T1570 – Lateral Tool Transfer: Transfer of tools between systems for lateral movement.
Collection:
T1039 – Data from Network Shared Drive: Collection of data from network shared drives.
Command and Control:
T1572 – Protocol Tunneling: Use of tunneling techniques to disguise command and control traffic.
T1090.001 – Proxy: Internal Proxy: Use of internal proxies for routing command and control traffic.
T1132.001 – Data Encoding: Standard Encoding: Encoding of data to evade detection during exfiltration.
T1071.001 – Application Layer Protocol: Web Protocols: Utilization of web protocols for command and control communication.
Exfiltration:
T1048 – Exfiltration Over Alternative Protocol: Use of alternative protocols to exfiltrate data.
