Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]

ID: G0027
Associated Groups: Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse
Contributors: Daniyal Naeem, BT Security; Kyaw Pyiyt Htet, @KyawPyiytHtet
Version: 2.1
Created: 31 May 2017
Last Modified: 29 March 2023

Associated Group Descriptions

Name Description
Earth Smilodon

[5]

TG-3390

[1][6][7]

Emissary Panda

[8][6][3][7][9][5]

BRONZE UNION

[2][6]

APT27

[6][3][7][5]

Iron Tiger

[7][5]

LuckyMouse

[3][7][5]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.[6]

Enterprise T1087 .001 Account Discovery: Local Account

Threat Group-3390 has used net user to conduct internal discovery of systems.[2]

Enterprise T1583 .001 Acquire Infrastructure: Domains

Threat Group-3390 has registered domains for C2.[10]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Threat Group-3390 malware has used HTTP for C2.[3]

Enterprise T1560 .002 Archive Collected Data: Archive via Library

Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[2]

Enterprise T1119 Automated Collection

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Threat Group-3390's malware can add a Registry key to Software\Microsoft\Windows\CurrentVersion\Run for persistence.[6][10]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Threat Group-3390 has used PowerShell for execution.[2][4]

.003 Command and Scripting Interpreter: Windows Command Shell

Threat Group-3390 has used command-line interfaces for execution.[2][9]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Threat Group-3390's malware can create a new service, sometimes naming it after the config information, to gain persistence.[6][10]

Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Threat Group-3390 obtained a KeePass database from a compromised host.[4]

Enterprise T1005 Data from Local System

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]

Enterprise T1074 .001 Data Staged: Local Data Staging

Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.[2]

.002 Data Staged: Remote Data Staging

Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.[2]

Enterprise T1030 Data Transfer Size Limits

Threat Group-3390 actors have split RAR files for exfiltration into parts.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[3]

Enterprise T1189 Drive-by Compromise

Threat Group-3390 has extensively used strategic web compromises to target victims.[1][3]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Threat Group-3390 has exfiltrated stolen data to Dropbox.[4]

Enterprise T1190 Exploit Public-Facing Application

Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server.[5]

Enterprise T1203 Exploitation for Client Execution

Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor.[5]

Enterprise T1068 Exploitation for Privilege Escalation

Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges.[2][11]

Enterprise T1210 Exploitation of Remote Services

Threat Group-3390 has exploited MS17-010 to move laterally to other systems on the network.[9]

Enterprise T1133 External Remote Services

Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.[1] Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.[2]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Threat Group-3390 has performed DLL search order hijacking to execute their payload.[6]

.002 Hijack Execution Flow: DLL Side-Loading

Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants as well as rc.exe, a legitimate Microsoft Resource Compiler.[1][2][3][9][10]

Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.[2][4]

.005 Indicator Removal: Network Share Connection Removal

Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.[2]

Enterprise T1105 Ingress Tool Transfer

Threat Group-3390 has downloaded additional malware and tools, including through the use of certutil, onto a compromised host .[1][4]

Enterprise T1056 .001 Input Capture: Keylogging

Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.[1][7][3]

Enterprise T1112 Modify Registry

A Threat Group-3390 tool has created new Registry keys under HKEY_CURRENT_USER\Software\Classes\ and HKLM\SYSTEM\CurrentControlSet\services.[6][5]

Enterprise T1046 Network Service Discovery

Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.[1][9]

Enterprise T1027 Obfuscated Files or Information

A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[6][3][9]

.002 Software Packing

Threat Group-3390 has packed malware and tools, including using VMProtect.[4][5]

Enterprise T1588 .002 Obtain Capabilities: Tool

Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.[9][1]

.003 Obtain Capabilities: Code Signing Certificates

Threat Group-3390 has obtained stolen valid certificates, including from VMProtect and the Chinese instant messaging application Youdu, for their operations.[10]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.[1][2]

.002 OS Credential Dumping: Security Account Manager

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.[1][2]

.004 OS Credential Dumping: LSA Secrets

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.[1][2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Threat Group-3390 has used e-mail to deliver malicious attachments to victims.[4]

Enterprise T1055 .012 Process Injection: Process Hollowing

A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process.[6][3]

Enterprise T1012 Query Registry

A Threat Group-3390 tool can read and decrypt stored Registry values.[6]

Enterprise T1021 .006 Remote Services: Windows Remote Management

Threat Group-3390 has used WinRM to enable remote execution.[2]

Enterprise T1018 Remote System Discovery

Threat Group-3390 has used the net view command.[6]

Enterprise T1053 .002 Scheduled Task/Job: At

Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

Threat Group-3390 has used a variety of Web shells.[9]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

Threat Group-3390 has hosted malicious payloads on Dropbox.[4]

.002 Stage Capabilities: Upload Tool

Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.[1]

.004 Stage Capabilities: Drive-by Target

Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest.[8]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Threat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments.[5]

Enterprise T1016 System Network Configuration Discovery

Threat Group-3390 actors use NBTscan to discover vulnerable systems.[1]

Enterprise T1049 System Network Connections Discovery

Threat Group-3390 has used net use and netstat to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim.[2]

Enterprise T1033 System Owner/User Discovery

Threat Group-3390 has used whoami to collect system user information.[4]

Enterprise T1199 Trusted Relationship

Threat Group-3390 has compromised third party service providers to gain access to victim's environments.[11]

Enterprise T1204 .002 User Execution: Malicious File

Threat Group-3390 has lured victims into opening malicious files containing malware.[4]

Enterprise T1078 Valid Accounts

Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.[1]

Enterprise T1047 Windows Management Instrumentation

A Threat Group-3390 tool can use WMI to execute a binary.[6]

Software

ID Name References Techniques
S0073 ASPXSpy Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.[1][11] Server Software Component: Web Shell
S0160 certutil [4] Archive Collected Data: Archive via Utility, Deobfuscate/Decode Files or Information, Ingress Tool Transfer, Subvert Trust Controls: Install Root Certificate
S0020 China Chopper [1][2][6][9] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal: Timestomp, Ingress Tool Transfer, Network Service Discovery, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0660 Clambling [4][11][5] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Clipboard Data, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Data from Local System, Deobfuscate/Decode Files or Information, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Input Capture: Keylogging, Modify Registry, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Process Injection: Process Hollowing, Query Registry, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Services: Service Execution, System Time Discovery, User Execution: Malicious File, Video Capture, Virtualization/Sandbox Evasion: Time Based Evasion, Web Service: Bidirectional Communication
S0154 Cobalt Strike [4] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0032 gh0st RAT [12] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, System Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0008 gsecdump [1] OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets
S0070 HTTPBrowser [1][2][6][5] Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information
S0398 HyperBro [9][3][7][4][5] Application Layer Protocol: Web Protocols, Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: File Deletion, Ingress Tool Transfer, Native API, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Process Injection, Screen Capture, System Service Discovery, System Services: Service Execution
S0357 Impacket [9] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0100 ipconfig [2] System Network Configuration Discovery
S0002 Mimikatz Threat Group-3390 has used a modified version of Mimikatz called Wrapikatz.[2][6][4][13][11] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0590 NBTscan [1][4] Network Service Discovery, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [2] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0104 netstat [4] System Network Connections Discovery
S0664 Pandora [5] Application Layer Protocol: Web Protocols, Create or Modify System Process: Windows Service, Encrypted Channel: Symmetric Cryptography, Exploitation for Privilege Escalation, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Modify Registry, Obfuscated Files or Information, Process Discovery, Process Injection, Subvert Trust Controls: Code Signing Policy Modification, System Services: Service Execution, Traffic Signaling
S0013 PlugX [1][2][6][4][11] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Hijack Execution Flow: DLL Search Order Hijacking, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0006 pwdump [9] OS Credential Dumping: Security Account Manager
S0662 RCSession [5][4][11] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Obfuscated Files or Information: Fileless Storage, Process Discovery, Process Injection: Process Hollowing, Screen Capture, System Binary Proxy Execution: Msiexec, System Information Discovery, System Owner/User Discovery
S0096 Systeminfo [4] System Information Discovery
S0663 SysUpdate [5] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Create or Modify System Process: Systemd Service, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Hijack Execution Flow: DLL Side-Loading, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Masquerade Task or Service, Modify Registry, Native API, Obfuscated Files or Information: Fileless Storage, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Process Discovery, Screen Capture, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Configuration Discovery, System Owner/User Discovery, System Service Discovery, System Services: Service Execution, Windows Management Instrumentation
S0057 Tasklist [4] Process Discovery, Software Discovery: Security Software Discovery, System Service Discovery
S0005 Windows Credential Editor [1] OS Credential Dumping: LSASS Memory
S0412 ZxShell [12] Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Create Account: Local Account, Create or Modify System Process: Windows Service, Data from Local System, Endpoint Denial of Service, Exploit Public-Facing Application, File and Directory Discovery, Impair Defenses: Disable or Modify System Firewall, Impair Defenses: Disable or Modify Tools, Indicator Removal: Clear Windows Event Logs, Indicator Removal: File Deletion, Ingress Tool Transfer, Input Capture: Credential API Hooking, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Non-Standard Port, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Query Registry, Remote Services: VNC, Remote Services: Remote Desktop Protocol, Screen Capture, System Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, System Service Discovery, System Services: Service Execution, Video Capture

References