Description
[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://attack.mitre.org/software/S0012), as well as some non-public backdoors. (Citation: FireEye admin@338)
Techniques Used (TTPs)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1016 — System Network Configuration Discovery (discovery)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1083 — File and Directory Discovery (discovery)
- T1069.001 — Local Groups (discovery)
- T1049 — System Network Connections Discovery (discovery)
- T1087.001 — Local Account (discovery)
- T1203 — Exploitation for Client Execution (execution)
- T1007 — System Service Discovery (discovery)
- T1204.002 — Malicious File (execution)
- T1082 — System Information Discovery (discovery)
- T1059.003 — Windows Command Shell (execution)
Total TTPs: 12
Malware & Tools
Malware: BUBBLEWRAP, LOWBALL, PoisonIvy
Tools: Net, Systeminfo, ipconfig, netstat