Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]

ID: G0054
Contributors: Alan Neville, @abnev

Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceSowbug has used command line during its intrusions.[1]
EnterpriseT1003Credential DumpingSowbug has used credential dumping tools.[1]
EnterpriseT1002Data CompressedSowbug extracted documents and bundled them into a RAR archive.[1]
EnterpriseT1039Data from Network Shared DriveSowbug extracted Word documents from a file server on a victim network.[1]
EnterpriseT1083File and Directory DiscoverySowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.[1]
EnterpriseT1056Input CaptureSowbug has used keylogging tools.[1]
EnterpriseT1036MasqueradingSowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.[1]
EnterpriseT1135Network Share DiscoverySowbug listed remote shared drives that were accessible from a victim.[1]
EnterpriseT1082System Information DiscoverySowbug obtained OS version and hardware configuration from a victim.[1]


S0171Felismus[1]Command-Line Interface, Custom Cryptographic Protocol, Masquerading, Remote File Copy, Security Software Discovery, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0188Starloader[1]Deobfuscate/Decode Files or Information, Masquerading