menuPass is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017) (Citation: DOJ APT10 Dec 2018)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, macOS, Windows | collection, credential-access | Input Capture | menuPass has used key loggers to steal usernames and passwords. | Windows Registry, Kernel drivers, Process monitoring, API monitoring |
| Linux, macOS, Windows, GCP, AWS, Azure | collection | Data from Local System | menuPass has collected various files from the compromised computers. | |
| File monitoring, Process monitoring, Process command-line parameters | ||||
| Linux, macOS, Windows | exfiltration | Data Encrypted | menuPass has encrypted files and information before exfiltration. | File monitoring, Process monitoring, Process command-line parameters, Binary file metadata |
| Linux, macOS, Windows | defense-evasion | Masquerading | menuPass has been seen changing malicious files to appear legitimate. They have also renamed certutil and move it to a different location on system to avoid detection based on use of the tool. The group has also used esentutl to change file extensions to avoid detection. | File monitoring, Process monitoring, Binary file metadata |
| Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | menuPass has used malicious macros embedded inside Office documents to execute files. | Process monitoring, File monitoring, Process command-line parameters |
| Windows | defense-evasion | Process Hollowing | menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant. | Process monitoring, API monitoring |
| Windows | defense-evasion | Deobfuscate/Decode Files or Information | menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim’s machine when dropping UPPERCUT. |
File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | File Deletion | A menuPass macro deletes files after it has decoded and decompressed them. | File monitoring, Process command-line parameters, Binary file metadata |
| Linux, Windows, macOS, AWS, GCP, Azure, SaaS | initial-access | Trusted Relationship | menuPass has used legitimate access granted to Managed Service Providers in order to access victims of interest. | Azure activity logs, Stackdriver logs, AWS CloudTrail logs, Application logs, Authentication logs, Third-party application logs |
| Linux, Windows, macOS | execution | User Execution | menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and/or Microsoft Office documents, sent via email as part of spearphishing campaigns. | Anti-virus, Process command-line parameters, Process monitoring |
| Windows, macOS, Linux | initial-access | Spearphishing Attachment | menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
| Linux, macOS, Windows, AWS, GCP, Azure, SaaS, Office 365 | defense-evasion, persistence, privilege-escalation, initial-access | Valid Accounts | menuPass has used valid accounts shared between Managed Service Providers and clients to move between the two environments. | AWS CloudTrail logs, Stackdriver logs, Authentication logs, Process monitoring |
| Linux, macOS, Windows | discovery | System Network Configuration Discovery | menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions. | Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure | discovery | System Network Connections Discovery | menuPass has used net use to conduct connectivity checks to machines. |
Process monitoring, Process command-line parameters |
| Windows | execution | Windows Management Instrumentation | menuPass uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI. | Authentication logs, Netflow/Enclave netflow, Process monitoring, Process command-line parameters |
| Windows | lateral-movement | Remote Desktop Protocol | menuPass has used RDP connections to move across the victim network. | Authentication logs, Netflow/Enclave netflow, Process monitoring |
| Linux, macOS, Windows | collection | Data from Network Shared Drive | menuPass has collected data from remote systems by mounting network shares with net use and using Robocopy to transfer data. |
File monitoring, Process monitoring, Process command-line parameters |
| Windows | execution | PowerShell | menuPass uses PowerSploit to inject shellcode into PowerShell. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
| Linux, Windows, macOS | exfiltration | Data Compressed | menuPass has compressed files before exfiltration using TAR and RAR. | Binary file metadata, File monitoring, Process command-line parameters, Process monitoring |
| Windows | execution, persistence, privilege-escalation | Scheduled Task | menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler. | File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows, Office 365, Azure AD | discovery | Account Discovery | menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data. | Azure activity logs, Office 365 account logs, API monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control, defense-evasion | Connection Proxy | menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim. | Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture |
| Linux, macOS, Windows | execution | Command-Line Interface | menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands. | Process monitoring, Process command-line parameters |
| Windows, Linux, macOS | credential-access | Credential Dumping | menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials. | API monitoring, Process monitoring, PowerShell logs, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure | collection | Data Staged | menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | lateral-movement | Remote Services | menuPass has used Putty Secure Copy Client (PSCP) to transfer data. | Authentication logs |
| Windows | defense-evasion | DLL Side-Loading | menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT. | Process use of network, Process monitoring, Loaded DLLs |
| Windows | persistence, privilege-escalation, defense-evasion | DLL Search Order Hijacking | menuPass has used DLL search order hijacking. | File monitoring, DLL monitoring, Process monitoring, Process command-line parameters |
| Linux, Windows, macOS, AWS, GCP, Azure | discovery | Network Service Scanning | menuPass has used tcping.exe, similar to Ping, to probe port status on systems of interest. | Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network |
| Linux, macOS, Windows, GCP, Azure, AWS | discovery | Remote System Discovery | menuPass uses scripts to enumerate IP ranges on the victim network. menuPass has also issued the command net view /domain to a PlugX implant to gather information about remote systems on the network. |
Network protocol analysis, Process monitoring, Process use of network, Process command-line parameters |
| Linux, macOS, Windows | command-and-control, lateral-movement | Remote File Copy | menuPass has installed updates and new malware on victims. | File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring |