1. Home
  2. Groups
  3. admin@338

admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [1]

ID: G0018
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.
Version: 1.2
Created: 31 May 2017
Last Modified: 18 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.[1]
Enterprise T1203 客户端执行漏洞利用

admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158.[1]
Enterprise T1083 文件和目录发现

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download[1]
Enterprise T1069 .001 权限组发现: Local Groups

admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download[1]
Enterprise T1204 .002 用户执行: Malicious File

admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.[1]
Enterprise T1082 系统信息发现

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download[1]
Enterprise T1007 系统服务发现

admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: net start >> %temp%\download[1]
Enterprise T1049 系统网络连接发现

admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: netstat -ano >> %temp%\download[1]
Enterprise T1016 系统网络配置发现

admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: ipconfig /all >> %temp%\download[1]
Enterprise T1087 .001 账号发现: Local Account

admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

admin@338 has sent emails with malicious Microsoft Office documents attached.[1]

Software

ID Name References Techniques
S0043 BUBBLEWRAP [1] 应用层协议: Web Protocols, 系统信息发现, 非应用层协议
S0100 ipconfig [1] 系统网络配置发现
S0042 LOWBALL [1] 应用层协议: Web Protocols, 网络服务: Bidirectional Communication, 输入工具传输
S0039 Net [1] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0104 netstat [1] 系统网络连接发现
S0012 PoisonIvy [1] Rootkit, 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Active Setup, 命令与脚本解释器: Windows Command Shell, 应用窗口发现, 执行保护: Mutual Exclusion, 数据分段: Local Data Staging, 混淆文件或信息, 输入工具传输, 输入捕获: Keylogging, 进程注入: Dynamic-link Library Injection
S0096 Systeminfo [1] 系统信息发现

References

  1. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.