Picus Labs has enriched the Picus Threat Library with new attack methods that emulate malware seen in the latest espionage activity attributed to UNC215, an Advanced Persistent Threat group active since 2019. UNC215 is widely assessed as part of Chinese cyber espionage efforts [1]. The group has focused on targets across the Middle East, Europe, Asia, and North America, with a concentration on government agencies and academic institutions. By adding faithful simulations of these techniques and payload behaviors, the Picus Threat Library helps security teams measure real exposure and prioritize fixes based on evidence instead of assumptions.
UNC215 campaigns typically blend multiple tactics to obtain initial access, establish persistence, and quietly exfiltrate data. Common patterns include spearphishing or exploitation of internet facing applications, deployment of web shells, credential theft, and lateral movement that leverages legitimate admin tools to avoid detection. The updated simulations map to MITRE ATT&CK and reproduce key behaviors such as command and control beacons, file staging, and staged data theft. Organizations can use these scenarios to validate detections across SIEM, EDR, and NDR, harden high value systems, and confirm that incident response playbooks work as intended against UNC215 techniques before a real intrusion occurs.
UNC215 exploits vulnerabilities of public-facing applications, such as Microsoft SharePoint vulnerability CVE-2019-0604, for initial access (MITRE ATT&CK T1190 Exploit Public-Facing Application). The cyberespionage group also uses phishing emails that include Microsoft Office documents weaponized with exploits for Microsoft Office CVE-2018-11882, CVE-2018-0802, and CVE-2018-0798 vulnerabilities (MITRE ATT&CK T1566 Phishing).
After initial access, UNC215 deploys webshells like ChinaChopper to the target system. For credential dumping, they use Mimikatz and ProcDump (MITRE ATT&CK T1003 OS Credential Dumping). They use dumped credentials for lateral movement. After lateral movement, they deploy their signature malware FOCUSFJORD backdoor to only identified key systems within the target network, such as domain controllers and Exchange servers. They also deploy HYPERBRO backdoor in later stages. Other techniques used by UNC215 are listed below.
Picus Labs has updated the Picus Threat Library with the following malware used in the latest attack campaign of the UNC215 cyber espionage group:
|
Picus ID |
Threat Name |
|
876765 |
FOCUSFJORD Backdoor used by UNC215 APT Group .EXE Download Variant-1 |
|
707406 |
FOCUSFJORD Backdoor used by UNC215 APT Group .EXE Download Variant-2 |
|
473794 |
FOCUSFJORD Backdoor used by UNC215 APT Group .EXE Download Variant-3 |
|
819647 |
HYPERBRO Backdoor used by ANC215 APT Group .DLL Download Variant-1 |
|
620931 |
HYPERBRO Backdoor used by ANC215 APT Group .DLL Download Variant-2 |
MITRE ATT&CK Techniques used by UNC215
References
[1] https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html