G0002 Moafee

Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. ¹

Item	Value
ID	G0002
Associated Names
Version	1.1
Created	31 May 2017
Last Modified	30 March 2020
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1027	Obfuscated Files or Information	-
enterprise	T1027.001	Binary Padding	Moafee has been known to employ binary padding.¹

Software

ID	Name	References	Techniques
S0012	PoisonIvy	¹	Application Window Discovery Active Setup:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit

References

Haq, T., Moran, N., Scott, M., & Vashisht, S. O. (2014, September 10). The Path to Mass-Producing Cyber Attacks [Blog]. Retrieved November 12, 2014. ↩↩↩