Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)
ID: G0027
Associated Groups: BRONZE UNION, TG-3390, Emissary Panda, Iron Tiger, APT27, Earth Smilodon, LuckyMouse
Version: 2.2
Created: 31 May 2017
Last Modified: 10 Apr 2024

Associated Group Descriptions

Name Description
BRONZE UNION (Citation: SecureWorks BRONZE UNION June 2017)(Citation: Nccgroup Emissary Panda May 2018)
TG-3390 (Citation: Dell TG-3390)(Citation: Nccgroup Emissary Panda May 2018)(Citation: Hacker News LuckyMouse June 2018)
Emissary Panda (Citation: Gallagher 2015)(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)(Citation: Trend Micro Iron Tiger April 2021)
Iron Tiger (Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021)
APT27 (Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021)
Earth Smilodon (Citation: Trend Micro Iron Tiger April 2021)
LuckyMouse (Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)(Citation: Trend Micro Iron Tiger April 2021)

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.(Citation: Nccgroup Emissary Panda May 2018)

Enterprise T1087 .001 Account Discovery: Local Account

Threat Group-3390 has used net user to conduct internal discovery of systems.(Citation: SecureWorks BRONZE UNION June 2017)

Enterprise T1583 .001 Acquire Infrastructure: Domains

Threat Group-3390 has registered domains for C2.(Citation: Lunghi Iron Tiger Linux)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Threat Group-3390 malware has used HTTP for C2.(Citation: Securelist LuckyMouse June 2018)

Enterprise T1560 .002 Archive Collected Data: Archive via Library

Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.(Citation: SecureWorks BRONZE UNION June 2017)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Threat Group-3390's malware can add a Registry key to `Software\Microsoft\Windows\CurrentVersion\Run` for persistence.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Lunghi Iron Tiger Linux)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Threat Group-3390 has used PowerShell for execution.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Trend Micro DRBControl February 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Threat Group-3390 has used command-line interfaces for execution.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Unit42 Emissary Panda May 2019)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Threat Group-3390's malware can create a new service, sometimes naming it after the config information, to gain persistence.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Lunghi Iron Tiger Linux)

Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Threat Group-3390 obtained a KeePass database from a compromised host.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1074 .001 Data Staged: Local Data Staging

Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.(Citation: SecureWorks BRONZE UNION June 2017)

.002 Data Staged: Remote Data Staging

Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.(Citation: SecureWorks BRONZE UNION June 2017)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Threat Group-3390 has exfiltrated stolen data to Dropbox.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1574 .001 Hijack Execution Flow: DLL

Threat Group-3390 has performed DLL search order hijacking to execute their payload.(Citation: Nccgroup Emissary Panda May 2018) Threat Group-3390 has also used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as `rc.exe`, a legitimate Microsoft Resource Compiler.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)(Citation: Lunghi Iron Tiger Linux)

.002 Hijack Execution Flow: DLL Side-Loading

Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as `rc.exe`, a legitimate Microsoft Resource Compiler.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)(Citation: Lunghi Iron Tiger Linux)

Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.(Citation: SecureWorks BRONZE UNION June 2017)

Enterprise T1070 .004 Indicator Removal: File Deletion

Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Trend Micro DRBControl February 2020)

.005 Indicator Removal: Network Share Connection Removal

Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.(Citation: SecureWorks BRONZE UNION June 2017)

Enterprise T1056 .001 Input Capture: Keylogging

Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.(Citation: Dell TG-3390)(Citation: Hacker News LuckyMouse June 2018)(Citation: Securelist LuckyMouse June 2018)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)

.002 OS Credential Dumping: Security Account Manager

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)

.004 OS Credential Dumping: LSA Secrets

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.(Citation: Dell TG-3390)(Citation: SecureWorks BRONZE UNION June 2017)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Threat Group-3390 has packed malware and tools, including using VMProtect.(Citation: Trend Micro DRBControl February 2020)(Citation: Trend Micro Iron Tiger April 2021)

.013 Obfuscated Files or Information: Encrypted/Encoded File

A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)

.015 Obfuscated Files or Information: Compression

Threat Group-3390 malware is compressed with LZNT1 compression.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)

Enterprise T1588 .002 Obtain Capabilities: Tool

Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.(Citation: Unit42 Emissary Panda May 2019)(Citation: Dell TG-3390)

.003 Obtain Capabilities: Code Signing Certificates

Threat Group-3390 has obtained stolen valid certificates, including from VMProtect and the Chinese instant messaging application Youdu, for their operations.(Citation: Lunghi Iron Tiger Linux)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Threat Group-3390 has used e-mail to deliver malicious attachments to victims.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1055 .012 Process Injection: Process Hollowing

A Threat Group-3390 tool can spawn `svchost.exe` and inject the payload into that process.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)

Enterprise T1021 .006 Remote Services: Windows Remote Management

Threat Group-3390 has used WinRM to enable remote execution.(Citation: SecureWorks BRONZE UNION June 2017)

Enterprise T1053 .002 Scheduled Task/Job: At

Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.(Citation: Dell TG-3390)

Enterprise T1505 .003 Server Software Component: Web Shell

Threat Group-3390 has used a variety of Web shells.(Citation: Unit42 Emissary Panda May 2019)

Enterprise T1608 .001 Stage Capabilities: Upload Malware

Threat Group-3390 has hosted malicious payloads on Dropbox.(Citation: Trend Micro DRBControl February 2020)

.002 Stage Capabilities: Upload Tool

Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.(Citation: Dell TG-3390)

.004 Stage Capabilities: Drive-by Target

Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest.(Citation: Gallagher 2015)

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Threat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments.(Citation: Trend Micro Iron Tiger April 2021)

Enterprise T1204 .002 User Execution: Malicious File

Threat Group-3390 has lured victims into opening malicious files containing malware.(Citation: Trend Micro DRBControl February 2020)

Software

ID Name References Techniques
S0039 Net (Citation: Microsoft Net Utility) (Citation: Savill 1999) (Citation: SecureWorks BRONZE UNION June 2017) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0662 RCSession (Citation: Profero APT27 December 2020) (Citation: Secureworks BRONZE PRESIDENT December 2019) (Citation: Trend Micro DRBControl February 2020) (Citation: Trend Micro Iron Tiger April 2021) Screen Capture, Fileless Storage, System Owner/User Discovery, Keylogging, Bypass User Account Control, DLL, System Information Discovery, Msiexec, Native API, Data from Local System, Masquerading, Modify Registry, Process Discovery, Registry Run Keys / Startup Folder, Process Hollowing, Encrypted Channel, Non-Application Layer Protocol, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer, Compression
S0160 certutil (Citation: TechNet Certutil) (Citation: Trend Micro DRBControl February 2020) Archive via Utility, Deobfuscate/Decode Files or Information, Install Root Certificate, Ingress Tool Transfer
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: Dell TG-3390) LSASS Memory
S0357 Impacket (Citation: Impacket Tools) (Citation: Unit42 Emissary Panda May 2019) Windows Management Instrumentation, Security Account Manager, LSA Secrets, Network Sniffing, Ccache Files, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Lateral Tool Transfer, NTDS, Service Execution, Kerberoasting
S0100 ipconfig (Citation: SecureWorks BRONZE UNION June 2017) (Citation: TechNet Ipconfig) System Network Configuration Discovery
S0057 Tasklist (Citation: Microsoft Tasklist) (Citation: Trend Micro DRBControl February 2020) System Service Discovery, Process Discovery, Security Software Discovery
S0104 netstat (Citation: TechNet Netstat) (Citation: Trend Micro DRBControl February 2020) System Network Connections Discovery
S0073 ASPXSpy (Citation: Dell TG-3390) (Citation: Profero APT27 December 2020) Web Shell
S0020 China Chopper (Citation: CISA AA21-200A APT40 July 2021) (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018) (Citation: Lee 2013) (Citation: Nccgroup Emissary Panda May 2018) (Citation: Rapid7 HAFNIUM Mar 2021) (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Unit42 Emissary Panda May 2019) Password Guessing, Data from Local System, Timestomp, Web Shell, File and Directory Discovery, Windows Command Shell, Software Packing, Web Protocols, Network Service Discovery, Ingress Tool Transfer
S0398 HyperBro (Citation: Hacker News LuckyMouse June 2018) (Citation: Securelist LuckyMouse June 2018) (Citation: Trend Micro DRBControl February 2020) (Citation: Trend Micro Iron Tiger April 2021) (Citation: Unit42 Emissary Panda May 2019) Screen Capture, Encrypted/Encoded File, DLL, System Service Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, File Deletion, Software Packing, Web Protocols, Ingress Tool Transfer, Service Execution
S0013 PlugX (Citation: CIRCL PlugX March 2013) (Citation: Dell TG-3390) (Citation: DestroyRAT) (Citation: FireEye Clandestine Fox Part 2) (Citation: Kaba) (Citation: Korplug) (Citation: Lastline PlugX Analysis) (Citation: Nccgroup Emissary Panda May 2018) (Citation: New DragonOK) (Citation: Novetta-Axiom) (Citation: Profero APT27 December 2020) (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Sogu) (Citation: TVT) (Citation: Thoper) (Citation: Trend Micro DRBControl February 2020) Screen Capture, Keylogging, DNS, Match Legitimate Resource Name or Location, Symmetric Cryptography, Windows Service, System Checks, DLL, Network Share Discovery, Native API, Deobfuscate/Decode Files or Information, Disable or Modify System Firewall, Modify Registry, File and Directory Discovery, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Multiband Communication, Registry Run Keys / Startup Folder, Non-Standard Port, Obfuscated Files or Information, Non-Application Layer Protocol, Query Registry, MSBuild, Windows Command Shell, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Hidden Files and Directories, Custom Command and Control Protocol, Dead Drop Resolver, Commonly Used Port
S0660 Clambling (Citation: Profero APT27 December 2020) (Citation: Trend Micro DRBControl February 2020) (Citation: Trend Micro Iron Tiger April 2021) Screen Capture, System Owner/User Discovery, Keylogging, Bypass User Account Control, Malicious File, Windows Service, Spearphishing Attachment, DLL, Clipboard Data, Network Share Discovery, System Information Discovery, Application Layer Protocol, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Time Based Evasion, Modify Registry, Video Capture, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Process Hollowing, Obfuscated Files or Information, Bidirectional Communication, Exfiltration to Cloud Storage, Non-Application Layer Protocol, Query Registry, Windows Command Shell, Web Protocols, Hidden Files and Directories, Service Execution, System Time Discovery
S0096 Systeminfo (Citation: TechNet Systeminfo) (Citation: Trend Micro DRBControl February 2020) System Information Discovery
S0032 gh0st RAT (Citation: Arbor Musical Chairs Feb 2018) (Citation: FireEye Hacking Team) (Citation: Moudoor) (Citation: Mydoor) (Citation: Nccgroup Gh0st April 2018) (Citation: Novetta-Axiom) (Citation: Secureworks BRONZEUNION Feb 2019) Screen Capture, Rundll32, Standard Encoding, Keylogging, Shared Modules, Symmetric Cryptography, Windows Service, Fast Flux DNS, DLL, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, Modify Registry, Clear Windows Event Logs, Command and Scripting Interpreter, Process Discovery, Registry Run Keys / Startup Folder, Encrypted Channel, Non-Application Layer Protocol, Query Registry, File Deletion, Ingress Tool Transfer, Service Execution
S0006 pwdump (Citation: Unit42 Emissary Panda May 2019) (Citation: Wikipedia pwdump) Security Account Manager
S0664 Pandora (Citation: Trend Micro Iron Tiger April 2021) Symmetric Cryptography, Windows Service, DLL, Process Injection, Traffic Signaling, Code Signing Policy Modification, Modify Registry, Process Discovery, Exploitation for Privilege Escalation, Web Protocols, Ingress Tool Transfer, Service Execution, Compression
S0154 Cobalt Strike (Citation: Trend Micro DRBControl February 2020) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Nccgroup Emissary Panda May 2018) (Citation: Profero APT27 December 2020) (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Talent-Jump Clambling February 2020) (Citation: Trend Micro DRBControl February 2020) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0008 gsecdump (Citation: Dell TG-3390) (Citation: TrueSec Gsecdump) Security Account Manager, LSA Secrets
S0590 NBTscan (Citation: Debian nbtscan Nov 2019) (Citation: Dell TG-3390) (Citation: FireEye APT39 Jan 2019) (Citation: SecTools nbtscan June 2003) (Citation: Symantec Waterbug Jun 2019) (Citation: Trend Micro DRBControl February 2020) System Owner/User Discovery, Network Sniffing, System Network Configuration Discovery, Remote System Discovery, Network Service Discovery
S0663 SysUpdate (Citation: FOCUSFJORD) (Citation: HyperSSL) (Citation: Soldier) (Citation: Trend Micro Iron Tiger April 2021) Windows Management Instrumentation, Screen Capture, Fileless Storage, System Owner/User Discovery, Standard Encoding, Encrypted/Encoded File, Internet Connection Discovery, DNS, Symmetric Cryptography, Windows Service, DLL, System Service Discovery, Code Signing, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Modify Registry, System Network Configuration Discovery, File and Directory Discovery, Masquerade Task or Service, Process Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, File Deletion, Software Packing, Systemd Service, Ingress Tool Transfer, Hidden Files and Directories, Service Execution
S0412 ZxShell (Citation: FireEye APT41 Aug 2019) (Citation: Secureworks BRONZEUNION Feb 2019) (Citation: Sensocode) (Citation: Talos ZxShell Oct 2014) VNC, Screen Capture, System Owner/User Discovery, Rundll32, Keylogging, Windows Service, System Service Discovery, System Information Discovery, Native API, Data from Local System, Exploit Public-Facing Application, Disable or Modify System Firewall, Modify Registry, Local Account, Clear Windows Event Logs, Create Process with Token, Video Capture, Proxy, File and Directory Discovery, Process Discovery, File Transfer Protocols, Disable or Modify Tools, Non-Standard Port, Query Registry, Endpoint Denial of Service, Uncommonly Used Port, Windows Command Shell, File Deletion, Web Protocols, Network Service Discovery, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Credential API Hooking, Commonly Used Port
S0070 HTTPBrowser (Citation: Dell TG-3390) (Citation: HttpDump) (Citation: Nccgroup Emissary Panda May 2018) (Citation: SecureWorks BRONZE UNION June 2017) (Citation: ThreatConnect Anthem) (Citation: ThreatStream Evasion Analysis) (Citation: Trend Micro Iron Tiger April 2021) Keylogging, DNS, Match Legitimate Resource Name or Location, DLL, File and Directory Discovery, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Windows Command Shell, File Deletion, Web Protocols, DLL Side-Loading, Ingress Tool Transfer, Commonly Used Port

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.