Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. [1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. [2] [3]

ID: G0027
Associated Groups: TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse
Version: 1.4
Created: 31 May 2017
Last Modified: 20 April 2021

Associated Group Descriptions

Name Description
TG-3390

[1] [4] [5]

Emissary Panda

[6] [4] [3] [5][7]

BRONZE UNION

[2] [4]

APT27

[4] [3] [5]

Iron Tiger

[5]

LuckyMouse

[3] [5]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.[4]

Enterprise T1087 .001 Account Discovery: Local Account

Threat Group-3390 has used net user to conduct internal discovery of systems.[2]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Threat Group-3390 malware has used HTTP for C2.[3]

Enterprise T1560 .002 Archive Collected Data: Archive via Library

Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[2]

Enterprise T1119 Automated Collection

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A Threat Group-3390 tool can add the binary’s path to the Registry key Software\Microsoft\Windows\CurrentVersion\Run to add persistence.[4]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Threat Group-3390 has used PowerShell for execution.[2]

.003 Command and Scripting Interpreter: Windows Command Shell

Threat Group-3390 has used command-line interfaces for execution.[2][7]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

A Threat Group-3390 tool can create a new service, naming it after the config information, to gain persistence.[4]

Enterprise T1005 Data from Local System

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]

Enterprise T1074 .001 Data Staged: Local Data Staging

Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.[2]

.002 Data Staged: Remote Data Staging

Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.[2]

Enterprise T1030 Data Transfer Size Limits

Threat Group-3390 actors have split RAR files for exfiltration into parts.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[3]

Enterprise T1189 Drive-by Compromise

Threat Group-3390 has extensively used strategic web compromises to target victims.[1][3]

Enterprise T1203 Exploitation for Client Execution

Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604.[7]

Enterprise T1068 Exploitation for Privilege Escalation

Threat Group-3390 has used CVE-2014-6324 to escalate privileges.[2]

Enterprise T1210 Exploitation of Remote Services

Threat Group-3390 has exploited MS17-010 to move laterally to other systems on the network.[7]

Enterprise T1133 External Remote Services

Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.[1] Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.[2]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Threat Group-3390 has performed DLL search order hijacking to execute their payload.[4]

.002 Hijack Execution Flow: DLL Side-Loading

Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code.[1][2][3][7]

Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.[2]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.[2]

.005 Indicator Removal on Host: Network Share Connection Removal

Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.[2]

Enterprise T1105 Ingress Tool Transfer

After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.[1][5][3]

Enterprise T1112 Modify Registry

A Threat Group-3390 tool can create a new Registry key under HKEY_CURRENT_USER\Software\Classes\.[4]

Enterprise T1046 Network Service Scanning

Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.[1][7]

Enterprise T1027 Obfuscated Files or Information

A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[4][3][7]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.[1][2]

.002 OS Credential Dumping: Security Account Manager

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.[1][2]

.004 OS Credential Dumping: LSA Secrets

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.[1][2]

Enterprise T1055 .012 Process Injection: Process Hollowing

A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process.[4][3]

Enterprise T1012 Query Registry

A Threat Group-3390 tool can read and decrypt stored Registry values.[4]

Enterprise T1021 .006 Remote Services: Windows Remote Management

Threat Group-3390 has used WinRM to enable remote execution.[2]

Enterprise T1018 Remote System Discovery

Threat Group-3390 has used the net view command.[4]

Enterprise T1053 .002 Scheduled Task/Job: At (Windows)

Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

Threat Group-3390 has used a variety of Web shells.[7]

Enterprise T1608 .002 Stage Capabilities: Upload Tool

Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.[1]

.004 Stage Capabilities: Drive-by Target

Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest.[6]

Enterprise T1016 System Network Configuration Discovery

Threat Group-3390 actors use NBTscan to discover vulnerable systems.[1]

Enterprise T1049 System Network Connections Discovery

Threat Group-3390 has used net use to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim.[2]

Enterprise T1078 Valid Accounts

Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.[1]

Enterprise T1047 Windows Management Instrumentation

A Threat Group-3390 tool can use WMI to execute a binary.[4]

Software

ID Name References Techniques
S0073 ASPXSpy Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.[1] Server Software Component: Web Shell
S0020 China Chopper [1][2][4][7] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0032 gh0st RAT [8] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0008 gsecdump [1] OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets
S0070 HTTPBrowser [1][2][4] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information
S0398 HyperBro [7][3][5] Application Layer Protocol: Web Protocols, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Native API, Process Injection, Screen Capture, System Service Discovery, System Services: Service Execution
S0357 Impacket [7] Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0100 ipconfig [2] System Network Configuration Discovery
S0002 Mimikatz Threat Group-3390 has used a modified version of Mimikatz called Wrapikatz.[2][4] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0590 NBTscan [1] Network Service Scanning, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [2] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0072 OwaAuth [1][2] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Server Software Component: Web Shell
S0013 PlugX [1][2][4] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0006 pwdump [7] OS Credential Dumping: Security Account Manager
S0005 Windows Credential Editor [1] OS Credential Dumping: LSASS Memory
S0412 ZxShell [8] Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Create or Modify System Process: Windows Service, Endpoint Denial of Service, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Network Service Scanning, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Query Registry, Remote Services: Remote Desktop Protocol, Remote Services: VNC, Screen Capture, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, System Service Discovery, Video Capture

References