Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа admin@338
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
admin@338
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. (Citation: FireEye admin@338)
ID: G0018
Associated Groups: 
Version: 1.2
Created: 31 May 2017
Last Modified: 18 Mar 2020

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download(Citation: FireEye admin@338)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.(Citation: FireEye admin@338)
Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe(Citation: FireEye admin@338)
Enterprise T1069 .001 Permission Groups Discovery: Local Groups

admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download(Citation: FireEye admin@338)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

admin@338 has sent emails with malicious Microsoft Office documents attached.(Citation: FireEye admin@338)
Enterprise T1204 .002 User Execution: Malicious File

admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.(Citation: FireEye admin@338)

Software
ID Name References Techniques
S0039 Net (Citation: FireEye admin@338) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0043 BUBBLEWRAP (Citation: FireEye admin@338) Web Protocols, Non-Application Layer Protocol, System Information Discovery
S0100 ipconfig (Citation: FireEye admin@338) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S0042 LOWBALL (Citation: FireEye admin@338) Web Protocols, Ingress Tool Transfer, Bidirectional Communication, Commonly Used Port
S0104 netstat (Citation: FireEye admin@338) (Citation: TechNet Netstat) System Network Connections Discovery
S0096 Systeminfo (Citation: FireEye admin@338) (Citation: TechNet Systeminfo) System Information Discovery
S0012 PoisonIvy (Citation: Breut) (Citation: Darkmoon) (Citation: FireEye admin@338) (Citation: FireEye Poison Ivy) (Citation: Novetta-Axiom) (Citation: Poison Ivy) (Citation: Symantec Darkmoon Aug 2005) (Citation: Symantec Darkmoon Sept 2014) (Citation: Symantec Elderwood Sept 2012) Windows Service, Modify Registry, Uncommonly Used Port, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Keylogging, Active Setup, Dynamic-link Library Injection, Local Data Staging, Windows Command Shell, Ingress Tool Transfer, Symmetric Cryptography, Data from Local System, Application Window Discovery, Rootkit

References

  1. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.