Chimera

Introduction

Chimera is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry. Cycraft Chimera April 2020 NCC Group Chimera January 2021

Activities and Tactics

Country of Origin: 🇨🇳 China

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

• T1574.001 DLL
• T1074.002 Remote Data Staging
• T1053.005 Scheduled Task
• T1569.002 Service Execution
• T1041 Exfiltration Over C2 Channel
• T1078 Valid Accounts
• T1550.002 Pass the Hash
• T1071.001 Web Protocols
• T1106 Native API
• T1556.001 Domain Controller Authentication
• T1071.004 DNS
• T1482 Domain Trust Discovery
• T1560.001 Archive via Utility
• T1021.006 Windows Remote Management
• T1083 File and Directory Discovery
• T1087.002 Domain Account
• T1057 Process Discovery
• T1021.002 SMB/Windows Admin Shares
• T1059.001 PowerShell
• T1003.003 NTDS
• T1074.001 Local Data Staging
• T1213.002 Sharepoint
• T1135 Network Share Discovery
• T1036.005 Match Legitimate Resource Name or Location
• T1570 Lateral Tool Transfer
• T1007 System Service Discovery
• T1027.010 Command Obfuscation
• T1685.005 Clear Windows Event Logs
• T1016 System Network Configuration Discovery
• T1046 Network Service Discovery
• T1033 System Owner/User Discovery
• T1087.001 Local Account
• T1572 Protocol Tunneling
• T1078.002 Domain Accounts
• T1069.001 Local Groups
• T1124 System Time Discovery
• T1201 Password Policy Discovery
• T1049 System Network Connections Discovery
• T1059.003 Windows Command Shell
• T1070.004 File Deletion
• T1110.003 Password Spraying
• T1114.001 Local Email Collection
• T1039 Data from Network Shared Drive
• T1119 Automated Collection
• T1133 External Remote Services
• T1110.004 Credential Stuffing
• T1680 Local Storage Discovery
• T1114.002 Remote Email Collection
• T1012 Query Registry
• T1588.002 Tool
• T1567.002 Exfiltration to Cloud Storage
• T1070.006 Timestomp
• T1018 Remote System Discovery
• T1589.001 Credentials
• T1047 Windows Management Instrumentation
• T1021.001 Remote Desktop Protocol
• T1111 Multi-Factor Authentication Interception
• T1217 Browser Information Discovery
• T1105 Ingress Tool Transfer

ATT&CK technique IDs (denormalized)

• T1003.003
• T1007
• T1012
• T1016
• T1018
• T1021.001
• T1021.002
• T1021.006
• T1027.010
• T1033
• T1036.005
• T1039
• T1041
• T1046
• T1047
• T1049
• T1053.005
• T1057
• T1059.001
• T1059.003
• T1069.001
• T1070.004
• T1070.006
• T1071.001
• T1071.004
• T1074.001
• T1074.002
• T1078
• T1078.002
• T1083
• T1087.001
• T1087.002
• T1105
• T1106
• T1110.003
• T1110.004
• T1111
• T1114.001
• T1114.002
• T1119
• T1124
• T1133
• T1135
• T1201
• T1213.002
• T1217
• T1482
• T1550.002
• T1556.001
• T1560.001
• T1567.002
• T1569.002
• T1570
• T1572
• T1574.001
• T1588.002
• T1589.001
• T1680
• T1685.005

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

• China Chopper:
• CyberGate:
• Cyber Eye RAT:

MITRE ATT&CK Software

• PsExec (S0029) — tool
• BloodHound (S0521) — tool
• esentutl (S0404) — tool
• Net (S0039) — tool
• Mimikatz (S0002) — tool
• Cobalt Strike (S0154) — malware

Attribution and Evidence

Country of Origin: China Additional attribution information pending cataloguing.

References

[1] mitre-attack [3] Cycraft Chimera April 2020 Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.. [4] NCC Group Chimera January 2021 Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.