admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [1]

ID: G0018
Contributors: Tatsuya Daitoku, Cyber Defense Institute, Inc.
Version: 1.2
Created: 31 May 2017
Last Modified: 18 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.[1]

Enterprise T1203 Exploitation for Client Execution

admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158.[1]

Enterprise T1083 File and Directory Discovery

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe[1]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

admin@338 has sent emails with malicious Microsoft Office documents attached.[1]

Enterprise T1082 System Information Discovery

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download[1]

Enterprise T1016 System Network Configuration Discovery

admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: ipconfig /all >> %temp%\download[1]

Enterprise T1049 System Network Connections Discovery

admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: netstat -ano >> %temp%\download[1]

Enterprise T1007 System Service Discovery

admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: net start >> %temp%\download[1]

Enterprise T1204 .002 User Execution: Malicious File

admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.[1]

Software

ID Name References Techniques
S0043 BUBBLEWRAP

[1]

Application Layer Protocol: Web Protocols, Non-Application Layer Protocol, System Information Discovery
S0100 ipconfig

[1]

System Network Configuration Discovery
S0042 LOWBALL

[1]

Application Layer Protocol: Web Protocols, Commonly Used Port, Ingress Tool Transfer, Web Service: Bidirectional Communication
S0039 Net

[1]

Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat

[1]

System Network Connections Discovery
S0012 PoisonIvy

[1]

Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit
S0096 Systeminfo

[1]

System Information Discovery

References