Group: admin@338

From enterprise
Jump to: navigation, search
admin@338
Group
ID G0018
Aliases admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.1

Alias Descriptions

  • admin@338 - 1

Techniques Used

  • Account Discovery - admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download1
  • Masquerading - admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe1
  • File and Directory Discovery - admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download1

Software