← threatfilter.dev / all groups / Threat Group-3390
Threat Group-3390
Also known as: Earth Smilodon · TG-3390 · Emissary Panda · BRONZE UNION · APT27 · Iron Tiger · LuckyMouse · Linen Typhoon
Overview
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.
Targets
Defense · Government · Private sector · Technology
Regions
Australia · Canada · China · France · India · Iran · Israel · Japan · Russia · South Korea · Taiwan · Thailand · Turkey · United Kingdom · United States
Capabilities
- Supply-chain compromise — ATT&CK T1195.002
- Exploitation of public-facing / client applications — ATT&CK T1190, T1203
- Custom malware/implant development — ATT&CK: 12 attributed custom malware families
TTPs — 57 techniques across 13 tactics
Resource Development
-
T1583.001Domains -
T1588.002Tool -
T1588.003Code Signing Certificates -
T1608.001Upload Malware -
T1608.002Upload Tool -
T1608.004Drive-by Target
Initial Access
-
T1189Drive-by Compromise -
T1190Exploit Public-Facing Application -
T1195.002Compromise Software Supply Chain -
T1199Trusted Relationship -
T1566.001Spearphishing Attachment
Execution
-
T1047Windows Management Instrumentation -
T1053.002At -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1203Exploitation for Client Execution -
T1204.002Malicious File
Persistence
-
T1133External Remote Services -
T1505.003Web Shell -
T1543.003Windows Service -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1068Exploitation for Privilege Escalation -
T1548.002Bypass User Account Control
Stealth
-
T1027.002Software Packing -
T1027.013Encrypted/Encoded File -
T1027.015Compression -
T1055.012Process Hollowing -
T1070.004File Deletion -
T1070.005Network Share Connection Removal -
T1078Valid Accounts -
T1140Deobfuscate/Decode Files or Information -
T1574.001DLL
Defense Impairment
-
T1112Modify Registry -
T1685.001Disable or Modify Windows Event Log
Credential Access
-
T1003.001LSASS Memory -
T1003.002Security Account Manager -
T1003.004LSA Secrets -
T1555.005Password Managers
Discovery
-
T1012Query Registry -
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1046Network Service Discovery -
T1049System Network Connections Discovery -
T1087.001Local Account
Lateral Movement
-
T1021.006Windows Remote Management -
T1210Exploitation of Remote Services
Collection
-
T1005Data from Local System -
T1056.001Keylogging -
T1074.001Local Data Staging -
T1074.002Remote Data Staging -
T1119Automated Collection -
T1560.002Archive via Library
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Exfiltration
-
T1030Data Transfer Size Limits -
T1567.002Exfiltration to Cloud Storage
Tools & malware (24)
Net · Systeminfo · gsecdump · PlugX · ASPXSpy · Cobalt Strike · Mimikatz · Impacket · gh0st RAT · certutil · China Chopper · HTTPBrowser · Tasklist · netstat · SysUpdate · HyperBro · ZxShell · RCSession · ipconfig · Clambling · pwdump · NBTscan · Pandora · Windows Credential Editor
Reporting (3)
- How Microsoft names threat actors — Microsoft
- Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware — Lunghi, D. and Lu, K
- Uncovering DRBControl — Lunghi, D. et al