Group: Threat Group-3390, TG-3390, Emissary Panda

Jump to: navigation, search
Threat Group-3390, TG-3390, Emissary Panda
ID G0027
Aliases Threat Group-3390, TG-3390, Emissary Panda

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.1

Alias Descriptions

  • Emissary Panda - 2

Techniques Used

  • Input Capture - Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers.1
  • Credential Dumping - Threat Group-3390 actors have used gsecdump to obtain passwords from memory. They have also dumped credentials from domain controllers.1
  • DLL Side-Loading - Threat Group-3390 actors use DLL side-loading. Actors have used legitimate Kaspersky anti-virus variants in which the DLL acts as a stub loader that loads and executes the shell code.1
  • Commonly Used Port - C2 traffic for most Threat Group-3390 tools occurs over ports 53, 80, and 443.1
  • Network Service Scanning - Threat Group-3390 actors use the Hunter and nbtscan tools to conduct network service discovery for vulnerable systems.1
  • Scheduled Task - Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.
  • Data Compressed - Threat Group-3390 actors have compressed data into RAR files prior to exfiltration.1
  • Data Encrypted - Threat Group-3390 actors have encrypted data for exfiltration using the password "admin-windows2014" (with the year corresponding to the year of the intrusion).1
  • Data Staged - Threat Group-3390 actors saved RAR files for exfiltration in the Recycler directory. They have also staged RAR files, renamed with a .zip file extension, on externally accessible Web servers and then issued HTTP GET requests to exfiltrate the files from the victim network.1
  • Data from Local System - Threat Group-3390 actors saved RAR files for exfiltration in the Recycler directory on a victim system.1
  • Remote File Copy - After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.1
  • Legitimate Credentials - Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.1
  • External Remote Services - Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.1