Skip to content

G0018 admin@338

admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. 1

Item Value
ID G0018
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 18 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> %temp%\download net user /domain >> %temp%\download1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.1
enterprise T1203 Exploitation for Client Execution admin@338 has exploited client software vulnerabilities for execution, such as Microsoft Word CVE-2012-0158.1
enterprise T1083 File and Directory Discovery admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir “c:\Documents and Settings” >> %temp%\download dir “c:\Program Files" >> %temp%\download dir d:\ >> %temp%\download1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location admin@338 actors used the following command to rename one of their tools to a benign file name: ren “%temp%\upload” audiodg.exe1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.001 Local Groups admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> %temp%\download1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment admin@338 has sent emails with malicious Microsoft Office documents attached.1
enterprise T1082 System Information Discovery admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download1
enterprise T1016 System Network Configuration Discovery admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: ipconfig /all >> %temp%\download1
enterprise T1049 System Network Connections Discovery admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to display network connections: netstat -ano >> %temp%\download1
enterprise T1007 System Service Discovery admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: net start >> %temp%\download1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.1

Software

ID Name References Techniques
S0043 BUBBLEWRAP 1 Web Protocols:Application Layer Protocol Non-Application Layer Protocol System Information Discovery
S0100 ipconfig 1 System Network Configuration Discovery
S0042 LOWBALL 1 Web Protocols:Application Layer Protocol Ingress Tool Transfer Bidirectional Communication:Web Service
S0039 Net 1 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat 1 System Network Connections Discovery
S0012 PoisonIvy 1 Application Window Discovery Active Setup:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Local Data Staging:Data Staged Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information Dynamic-link Library Injection:Process Injection Rootkit
S0096 Systeminfo 1 System Information Discovery

References

  1. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.