Threat Group-3390 | APT Profile

Description

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims.(Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.(Citation: SecureWorks BRONZE UNION June 2017)(Citation: Securelist LuckyMouse June 2018)(Citation: Trend Micro DRBControl February 2020)

Techniques Used (TTPs)

T1068 — Exploitation for Privilege Escalation (privilege-escalation)
T1030 — Data Transfer Size Limits (exfiltration)
T1190 — Exploit Public-Facing Application (initial-access)
T1046 — Network Service Discovery (discovery)
T1053.002 — At (execution, persistence, privilege-escalation)
T1055.012 — Process Hollowing (defense-evasion, privilege-escalation)
T1074.001 — Local Data Staging (collection)
T1203 — Exploitation for Client Execution (execution)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1003.001 — LSASS Memory (credential-access)
T1059.003 — Windows Command Shell (execution)
T1555.005 — Password Managers (credential-access)
T1566.001 — Spearphishing Attachment (initial-access)
T1012 — Query Registry (discovery)
T1003.004 — LSA Secrets (credential-access)
T1027.015 — Compression (defense-evasion)
T1204.002 — Malicious File (execution)
T1033 — System Owner/User Discovery (discovery)
T1608.001 — Upload Malware (resource-development)
T1505.003 — Web Shell (persistence)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1199 — Trusted Relationship (initial-access)
T1016 — System Network Configuration Discovery (discovery)
T1105 — Ingress Tool Transfer (command-and-control)
T1056.001 — Keylogging (collection, credential-access)
T1059.001 — PowerShell (execution)
T1562.002 — Disable Windows Event Logging (defense-evasion)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1608.004 — Drive-by Target (resource-development)
T1588.002 — Tool (resource-development)
T1018 — Remote System Discovery (discovery)
T1583.001 — Domains (resource-development)
T1189 — Drive-by Compromise (initial-access)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1003.002 — Security Account Manager (credential-access)
T1133 — External Remote Services (persistence, initial-access)
T1005 — Data from Local System (collection)
T1087.001 — Local Account (discovery)
T1195.002 — Compromise Software Supply Chain (initial-access)
T1548.002 — Bypass User Account Control (privilege-escalation, defense-evasion)
T1119 — Automated Collection (collection)
T1560.002 — Archive via Library (collection)
T1027.002 — Software Packing (defense-evasion)
T1588.003 — Code Signing Certificates (resource-development)
T1047 — Windows Management Instrumentation (execution)
T1071.001 — Web Protocols (command-and-control)
T1070.005 — Network Share Connection Removal (defense-evasion)
T1021.006 — Windows Remote Management (lateral-movement)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1070.004 — File Deletion (defense-evasion)
T1608.002 — Upload Tool (resource-development)
T1112 — Modify Registry (defense-evasion, persistence)
T1210 — Exploitation of Remote Services (lateral-movement)
T1074.002 — Remote Data Staging (collection)
T1049 — System Network Connections Discovery (discovery)

Total TTPs: 57

Malware & Tools

Malware: ASPXSpy, China Chopper, Clambling, Cobalt Strike, HTTPBrowser, HyperBro, Pandora, PlugX, RCSession, SysUpdate, ZxShell, gh0st RAT

Tools: Impacket, Mimikatz, NBTscan, Net, Systeminfo, Tasklist, Windows Credential Editor, certutil, gsecdump, ipconfig, netstat, pwdump

← Return to Home ← Back to APT Search