Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа admin@338
Риски
Каталоги
MITRE ATT&CK
Преступная группа
admin@338
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. (Citation: FireEye admin@338)
ID: G0018
Associated Groups: 
Version: 1.2
Created: 31 May 2017
Last Modified: 25 Apr 2025

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download(Citation: FireEye admin@338)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.(Citation: FireEye admin@338)
Enterprise T1036 .005 Masquerading: Match Legitimate Resource Name or Location

admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe(Citation: FireEye admin@338)
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download(Citation: FireEye admin@338)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

admin@338 has sent emails with malicious Microsoft Office documents attached.(Citation: FireEye admin@338)
Enterprise T1204 .002 User Execution: Malicious File

admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.(Citation: FireEye admin@338)

Software
ID Name References Techniques
S0039 Net (Citation: FireEye admin@338) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0043 BUBBLEWRAP (Citation: FireEye admin@338) System Information Discovery, Non-Application Layer Protocol, Web Protocols
S0100 ipconfig (Citation: FireEye admin@338) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S0042 LOWBALL (Citation: FireEye admin@338) Bidirectional Communication, Web Protocols, Ingress Tool Transfer, Commonly Used Port
S0104 netstat (Citation: FireEye admin@338) (Citation: TechNet Netstat) System Network Connections Discovery
S0096 Systeminfo (Citation: FireEye admin@338) (Citation: TechNet Systeminfo) System Information Discovery
S0012 PoisonIvy (Citation: Breut) (Citation: Darkmoon) (Citation: FireEye Poison Ivy) (Citation: FireEye admin@338) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Keylogging, Rootkit, Local Data Staging, Active Setup, Symmetric Cryptography, Windows Service, Data from Local System, Mutual Exclusion, Application Window Discovery, Modify Registry, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Uncommonly Used Port, Windows Command Shell, Ingress Tool Transfer, Dynamic-link Library Injection

References

  1. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.