admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [1]

ID: G0018
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1087 Account Discovery admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download[1]
Enterprise T1059 Command-Line Interface Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.[1]
Enterprise T1083 File and Directory Discovery admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download[1]
Enterprise T1036 Masquerading admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe[1]
Enterprise T1069 Permission Groups Discovery admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download[1]
Enterprise T1082 System Information Discovery admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download[1]
Enterprise T1016 System Network Configuration Discovery admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: ipconfig /all >> %temp%\download[1]
Enterprise T1049 System Network Connections Discovery admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: netstat -ano >> %temp%\download[1]
Enterprise T1007 System Service Discovery admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: net start >> %temp%\download[1]

Software

ID Name References Techniques
S0043 BUBBLEWRAP [1] Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Information Discovery
S0100 ipconfig [1] System Network Configuration Discovery
S0042 LOWBALL [1] Commonly Used Port, Remote File Copy, Standard Application Layer Protocol, Web Service
S0039 Net [1] Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0104 netstat [1] System Network Connections Discovery
S0012 PoisonIvy [1] Application Window Discovery, Command-Line Interface, Data from Local System, Data Staged, Input Capture, Modify Existing Service, Modify Registry, New Service, Obfuscated Files or Information, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Rootkit, Standard Cryptographic Protocol, Uncommonly Used Port
S0096 Systeminfo [1] System Information Discovery

References