Group: admin@338

From enterprise
Jump to: navigation, search
admin@338
Group
ID G0018
Aliases admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors.1

Techniques Used

  • Command-Line Interface - Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.1
  • System Information Discovery - admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS:
    • ver >> %temp%\download
    • systeminfo >> %temp%\download1
  • Account Discovery - admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts:
    • net user >> %temp%\download
    • net user /domain >> %temp%\download1
  • System Service Discovery - admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: net start >> %temp%\download1
  • Permission Groups Discovery - admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download1
  • Masquerading - admin@338 actors used the following command to rename one of their tools to a benign file name: ren "%temp%\upload" audiodg.exe1
  • File and Directory Discovery - admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories:
    • dir c:\ >> %temp%\download
    • dir "c:\Documents and Settings" >> %temp%\download
    • dir "c:\Program Files\" >> %temp%\download
    • dir d:\ >> %temp%\download1

Software