Group: Sowbug

From enterprise
Jump to: navigation, search
ID G0054
Aliases Sowbug
Contributors Alan Neville, @abnev

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015.1

Alias Descriptions

  • Sowbug - 1

Techniques Used

  • Data Compressed - Sowbug extracted documents and bundled them into a RAR archive.1
  • File and Directory Discovery - Sowbug identified and extracted all Word documents on a server by using a command containing *.doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.1
  • Masquerading - Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.1