APT40 educational institutions

Demonstrates a shellcode injection technique followed by several native API execution techniques.

TTP Tuesday: APT40 - Education Institutions

The final release for our APT40 Theme

Theme Overview

For this week’s TTP Tuesday, we wanted to focus on some techniques that often go under the radar. APT40 seems to use valid credentials for a lot of their attacks, whether they get these credentials from watering holes, data dumps, or files on a compromised box. This chain will find and exfiltrate files that possibly contain cleartext credentials. These types of files are prevalent in numerous organizations, these files are often created by users or administrators who do not remember all their passwords. Development teams can also leave passwords inside code files, documentation, or other configuration files.

Identifying Potential Files

Looking for these types of files can be a long-running process, so to keep the TTPs runtime to a minimum we are only identifying filenames that contain “user” or “pass” in the user’s home directory. Identifying files with suspicious names is only the first step, we then go through the identified files and ensure that the file isn’t in a binary format while also doing some rudimentary checks for special characters in the text of the file, since this aligns with “most” current password requirement policies. After identifying the files, we compress the files and serve them on a website.

Serving the Artifacts

The chain stands up a minimal website with a link to the compressed file. The website is designed to only receive two requests and then it shuts itself down. This allows the malicious actor to visit the website (first request), and download the file (second request). After the second request, the clean-up phase starts.

Cleaning Up

The clean-up TTP will execute after the two requests have taken place. This will remove the files that were created during the previous steps.

Next week we will be starting a brand new theme!

Watch a demonstration: APT40 Find and Exfiltrate

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Start a sacrificial process
Inject shellcode using execute-shellcode executor
Get process ID
Create registry key
Read registry key
Delete registry key
List files in directory
Get network config
Print working directory
Get running processes
Terminate process
Get host network connections
Get agent privileges
Make directory
Delete file or directory