Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. [1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. [2] [3]

ID: G0027
Version: 1.0

Associated Group Descriptions

NameDescription
TG-3390[1] [4] [5]
Emissary Panda[6] [4] [3] [5]
BRONZE UNION[2] [4]
APT27[4] [3] [5]
Iron Tiger[5]
LuckyMouse[3] [5]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryThreat Group-3390 has used net user to conduct internal discovery of systems.[2]
EnterpriseT1119Automated CollectionThreat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]
EnterpriseT1088Bypass User Account ControlA Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.[4]
EnterpriseT1059Command-Line InterfaceThreat Group-3390 has used command-line interfaces for execution.[2]
EnterpriseT1043Commonly Used PortC2 traffic for most Threat Group-3390 tools occurs over Port Numbers 53, 80, and 443.[1]
EnterpriseT1003Credential DumpingThreat Group-3390 actors have used gsecdump and a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.[1][2]
EnterpriseT1002Data CompressedThreat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[2]
EnterpriseT1022Data EncryptedThreat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[2]
EnterpriseT1005Data from Local SystemThreat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]
EnterpriseT1074Data StagedThreat Group-3390 has staged encrypted archives for exfiltration on Internet-facing servers that had previously been compromised with China Chopper.[2]
EnterpriseT1030Data Transfer Size LimitsThreat Group-3390 actors have split RAR files for exfiltration into parts.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationDuring execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[3]
EnterpriseT1089Disabling Security ToolsThreat Group-3390 has used appcmd.exe to disable logging on a victim server.[2]
EnterpriseT1038DLL Search Order HijackingThreat Group-3390 has performed DLL search order hijacking to execute their payload.[4]
EnterpriseT1073DLL Side-LoadingThreat Group-3390 actors have used DLL side-loading. Actors have used legitimate Kaspersky anti-virus variants in which the DLL acts as a stub loader that loads and executes the shell code.[1][2][3]
EnterpriseT1189Drive-by CompromiseThreat Group-3390 has has extensively used strategic Web compromises to target victims.[1][3]
EnterpriseT1068Exploitation for Privilege EscalationThreat Group-3390 has used CVE-2014-6324 to escalate privileges.[2]
EnterpriseT1133External Remote ServicesThreat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.[1]
EnterpriseT1107File DeletionThreat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.[2]
EnterpriseT1056Input CaptureThreat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.[1][5][3]
EnterpriseT1112Modify RegistryA Threat Group-3390 tool can create a new Registry key under HKEY_CURRENT_USER\Software\Classes\.[4]
EnterpriseT1046Network Service ScanningThreat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.[1]
EnterpriseT1126Network Share Connection RemovalThreat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.[2]
EnterpriseT1050New ServiceA Threat Group-3390 tool can create a new service, naming it after the config information, to gain persistence.[4]
EnterpriseT1027Obfuscated Files or InformationA Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[4][3]
EnterpriseT1086PowerShellThreat Group-3390 has used PowerShell for execution.[2]
EnterpriseT1055Process InjectionA Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process.[4][3]
EnterpriseT1012Query RegistryA Threat Group-3390 tool can read and decrypt stored Registry values.[4]
EnterpriseT1108Redundant AccessThreat Group-3390 has deployed backup web shells and obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.[2]
EnterpriseT1060Registry Run Keys / Startup FolderA Threat Group-3390 tool can add the binary’s path to the Registry key Software\Microsoft\Windows\CurrentVersion\Run to add persistence.[4]
EnterpriseT1105Remote File CopyAfter re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.[1]
EnterpriseT1018Remote System DiscoveryThreat Group-3390 has used the net view command.[4]
EnterpriseT1053Scheduled TaskThreat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.[1]
EnterpriseT1071Standard Application Layer ProtocolThreat Group-3390 malware has used HTTP for C2.[3]
EnterpriseT1016System Network Configuration DiscoveryThreat Group-3390 actors use nbtscan to discover vulnerable systems.[1]
EnterpriseT1049System Network Connections DiscoveryThreat Group-3390 has used net use to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim.[2]
EnterpriseT1078Valid AccountsThreat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.[1]
EnterpriseT1047Windows Management InstrumentationA Threat Group-3390 tool can use WMI to execute a binary.[4]
EnterpriseT1028Windows Remote ManagementThreat Group-3390 has used WinRM to enable remote execution.[2]

Software

IDNameReferencesTechniques
S0073ASPXSpy

Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.

[1]
Web Shell
S0020China Chopper[1][2][4]Brute Force, Command-Line Interface, Data from Local System, File and Directory Discovery, Network Service Scanning, Remote File Copy, Scripting, Software Packing, Standard Application Layer Protocol, Timestomp, Web Shell
S0008gsecdump[1]Credential Dumping
S0070HTTPBrowser[1][2][4]Command-Line Interface, Commonly Used Port, DLL Search Order Hijacking, DLL Side-Loading, File and Directory Discovery, File Deletion, Input Capture, Masquerading, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol
S0100ipconfig[2]System Network Configuration Discovery
S0002Mimikatz

Threat Group-3390 has used a modified version of Mimikatz called Wrapikatz.

[2][4]
Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0039Net[2]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0072OwaAuth[1][2]Data Encrypted, DLL Side-Loading, File and Directory Discovery, Input Capture, Masquerading, Standard Application Layer Protocol, Timestomp, Web Shell
S0013PlugX[1][2][4]Command-Line Interface, Commonly Used Port, Custom Command and Control Protocol, Deobfuscate/Decode Files or Information, DLL Side-Loading, Execution through API, File and Directory Discovery, Input Capture, Masquerading, Modify Existing Service, Modify Registry, Multiband Communication, Network Share Discovery, New Service, Process Discovery, Query Registry, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, Standard Application Layer Protocol, Standard Non-Application Layer Protocol, System Network Connections Discovery, Trusted Developer Utilities, Virtualization/Sandbox Evasion, Web Service
S0005Windows Credential Editor[1]Credential Dumping

References