Group: Threat Group-3390, TG-3390, ...

From enterprise
Jump to: navigation, search
Threat Group-3390, TG-3390, ...
ID G0027
Aliases Threat Group-3390, TG-3390, Emissary Panda, BRONZE UNION

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.1 The group has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors.2

Alias Descriptions

  • Threat Group-3390 - 1
  • TG-3390 - 1
  • Emissary Panda - 3

Techniques Used

  • DLL Side-Loading - Threat Group-3390 actors have used DLL side-loading. Actors have used legitimate Kaspersky anti-virus variants in which the DLL acts as a stub loader that loads and executes the shell code.12
  • Data Encrypted - Threat Group-3390 actors have encrypted data for exfiltration using the password "admin-windows2014" (with the year corresponding to the year of the intrusion).1
  • Data Staged - Threat Group-3390 actors saved RAR files for exfiltration in the Recycler directory. They have also staged RAR files, renamed with a .zip file extension, on externally accessible Web servers and then issued HTTP GET requests to exfiltrate the files from the victim network.1
  • Remote File Copy - After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.1
  • Valid Accounts - Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.1
  • Redundant Access - Threat Group-3390 has deployed backup web shells and obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.2