Group: Threat Group-3390, TG-3390, ...

From enterprise
Jump to: navigation, search
Threat Group-3390, TG-3390, ...
Group
ID G0027
Aliases Threat Group-3390, TG-3390, Emissary Panda, BRONZE UNION

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.1 The group has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors.2

Alias Descriptions

  • Threat Group-3390 - 1
  • TG-3390 - 1
  • Emissary Panda - 3
  • BRONZE UNION - 2

Techniques Used

  • Input Capture - Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers.1
  • Credential Dumping - Threat Group-3390 actors have used gsecdump and a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.12
  • DLL Side-Loading - Threat Group-3390 actors have used DLL side-loading. Actors have used legitimate Kaspersky anti-virus variants in which the DLL acts as a stub loader that loads and executes the shell code.12
  • Commonly Used Port - C2 traffic for most Threat Group-3390 tools occurs over ports 53, 80, and 443.1
  • Network Service Scanning - Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.1
  • Scheduled Task - Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.
  • Data Compressed - Threat Group-3390 actors have compressed data into RAR files prior to exfiltration.1
  • Data Encrypted - Threat Group-3390 actors have encrypted data for exfiltration using the password "admin-windows2014" (with the year corresponding to the year of the intrusion).1
  • Data Staged - Threat Group-3390 actors saved RAR files for exfiltration in the Recycler directory. They have also staged RAR files, renamed with a .zip file extension, on externally accessible Web servers and then issued HTTP GET requests to exfiltrate the files from the victim network.1
  • Data from Local System - Threat Group-3390 actors saved RAR files for exfiltration in the Recycler directory on a victim system.1
  • Remote File Copy - After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.1
  • Valid Accounts - Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.1
  • External Remote Services - Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.1
  • System Network Connections Discovery - Threat Group-3390 has used net use to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim.2
  • Account Discovery - Threat Group-3390 has used net user to conduct internal discovery of systems.2
  • PowerShell - Threat Group-3390 has used PowerShell for execution.2
  • File Deletion - Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.2
  • Data Encrypted - Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.2
  • Data Compressed - Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.2
  • Automated Collection - Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.2
  • Data from Local System - Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.2
  • Data Staged - Threat Group-3390 has staged encrypted archives for exfiltration on Internet-facing servers that had previously been compromised with China Chopper.2
  • Redundant Access - Threat Group-3390 has deployed backup web shells and obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.2
  • Valid Accounts - Threat Group-3390 has used OWA account credentials to attempt to regain access to a victim network after eviction.2

Software

  • ASPXSpy - Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.1
  • Mimikatz - Threat Group-3390 has used a modified version of Mimikatz called Wrapikatz. 2