Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]

ID: G0054
Contributors: Alan Neville, @abnev
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Sowbug has used command line during its intrusions.[1]
Enterprise T1003 Credential Dumping Sowbug has used credential dumping tools.[1]
Enterprise T1002 Data Compressed Sowbug extracted documents and bundled them into a RAR archive.[1]
Enterprise T1039 Data from Network Shared Drive Sowbug extracted Word documents from a file server on a victim network.[1]
Enterprise T1083 File and Directory Discovery Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.[1]
Enterprise T1056 Input Capture Sowbug has used keylogging tools.[1]
Enterprise T1036 Masquerading Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.[1]
Enterprise T1135 Network Share Discovery Sowbug listed remote shared drives that were accessible from a victim.[1]
Enterprise T1082 System Information Discovery Sowbug obtained OS version and hardware configuration from a victim.[1]


ID Name References Techniques
S0171 Felismus [1] Command-Line Interface, Custom Cryptographic Protocol, Masquerading, Remote File Copy, Security Software Discovery, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0188 Starloader [1] Deobfuscate/Decode Files or Information, Masquerading