ATT&CK v16 has been released! Check out the blog post for more information.

Suckfly

Suckfly is a China-based threat group that has been active since at least 2014. ^[1]

ID: G0039

Version: 1.1

Created: 31 May 2017

Last Modified: 15 April 2022

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Several tools used by Suckfly have been command-line driven.^[2]
Enterprise	T1046		Network Service Discovery	Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open.^[2]
Enterprise	T1003		OS Credential Dumping	Suckfly used a signed credential-dumping tool to obtain victim account credentials.^[2]
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	Suckfly has used stolen certificates to sign its malware.^[1]
Enterprise	T1078		Valid Accounts	Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.^[2]

Software

ID	Name	References	Techniques
S0118	Nidiran	^[1]^[2]	Create or Modify System Process: Windows Service, Ingress Tool Transfer, Masquerading: Masquerade Task or Service

References

DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.

DiMaggio, J. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.