Skip to content

G0027 Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.2 The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.168

Item Value
ID G0027
Associated Names Earth Smilodon, TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse
Version 2.0
Created 31 May 2017
Last Modified 11 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Earth Smilodon 7
TG-3390 295
Emissary Panda 496537
BRONZE UNION 19
APT27 9657
Iron Tiger 57
LuckyMouse 657

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.9
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Threat Group-3390 has used net user to conduct internal discovery of systems.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Threat Group-3390 malware has used HTTP for C2.6
enterprise T1560 Archive Collected Data -
enterprise T1560.002 Archive via Library Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.1
enterprise T1119 Automated Collection Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user’s directories.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder A Threat Group-3390 tool can add the binary’s path to the Registry key Software\Microsoft\Windows\CurrentVersion\Run to add persistence.9
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Threat Group-3390 has used PowerShell for execution.18
enterprise T1059.003 Windows Command Shell Threat Group-3390 has used command-line interfaces for execution.13
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service A Threat Group-3390 tool can create a new service, naming it after the config information, to gain persistence.9
enterprise T1555 Credentials from Password Stores -
enterprise T1555.005 Password Managers Threat Group-3390 obtained a KeePass database from a compromised host.8
enterprise T1005 Data from Local System Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user’s directories.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.1
enterprise T1074.002 Remote Data Staging Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.1
enterprise T1030 Data Transfer Size Limits Threat Group-3390 actors have split RAR files for exfiltration into parts.2
enterprise T1140 Deobfuscate/Decode Files or Information During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.6
enterprise T1189 Drive-by Compromise Threat Group-3390 has extensively used strategic web compromises to target victims.26
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Threat Group-3390 has exfiltrated stolen data to Dropbox.8
enterprise T1190 Exploit Public-Facing Application Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server.7
enterprise T1203 Exploitation for Client Execution Threat Group-3390 has exploited CVE-2018-0798 in Equation Editor.7
enterprise T1068 Exploitation for Privilege Escalation Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges.110
enterprise T1210 Exploitation of Remote Services Threat Group-3390 has exploited MS17-010 to move laterally to other systems on the network.3
enterprise T1133 External Remote Services Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.2 Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Threat Group-3390 has performed DLL search order hijacking to execute their payload.9
enterprise T1574.002 DLL Side-Loading Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code.2163
enterprise T1562 Impair Defenses -
enterprise T1562.002 Disable Windows Event Logging Threat Group-3390 has used appcmd.exe to disable logging on a victim server.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.18
enterprise T1070.005 Network Share Connection Removal Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.1
enterprise T1105 Ingress Tool Transfer Threat Group-3390 has downloaded additional malware and tools, including through the use of certutil, onto a compromised host .28
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.256
enterprise T1112 Modify Registry A Threat Group-3390 tool has created new Registry keys under HKEY_CURRENT_USER\Software\Classes\ and HKLM\SYSTEM\CurrentControlSet\services.97
enterprise T1046 Network Service Discovery Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.23
enterprise T1027 Obfuscated Files or Information A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.963
enterprise T1027.002 Software Packing Threat Group-3390 has packed malware and tools.8
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.32
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.21
enterprise T1003.002 Security Account Manager Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.21
enterprise T1003.004 LSA Secrets Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.21
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Threat Group-3390 has used e-mail to deliver malicious attachments to victims.8
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process.96
enterprise T1012 Query Registry A Threat Group-3390 tool can read and decrypt stored Registry values.9
enterprise T1021 Remote Services -
enterprise T1021.006 Windows Remote Management Threat Group-3390 has used WinRM to enable remote execution.1
enterprise T1018 Remote System Discovery Threat Group-3390 has used the net view command.9
enterprise T1053 Scheduled Task/Job -
enterprise T1053.002 At Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.2
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Threat Group-3390 has used a variety of Web shells.3
enterprise T1608 Stage Capabilities -
enterprise T1608.001 Upload Malware Threat Group-3390 has hosted malicious payloads on Dropbox.8
enterprise T1608.002 Upload Tool Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.2
enterprise T1608.004 Drive-by Target Threat Group-3390 has embedded malicious code into websites to screen a potential victim’s IP address and then exploit their browser if they are of interest.4
enterprise T1195 Supply Chain Compromise -
enterprise T1195.002 Compromise Software Supply Chain Threat Group-3390 has compromised the Able Desktop installer to gain access to victim’s environments.7
enterprise T1016 System Network Configuration Discovery Threat Group-3390 actors use NBTscan to discover vulnerable systems.2
enterprise T1049 System Network Connections Discovery Threat Group-3390 has used net use and netstat to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim.1
enterprise T1033 System Owner/User Discovery Threat Group-3390 has used whoami to collect system user information.8
enterprise T1199 Trusted Relationship Threat Group-3390 has compromised third party service providers to gain access to victim’s environments.10
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Threat Group-3390 has lured victims into opening malicious files containing malware.8
enterprise T1078 Valid Accounts Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.2
enterprise T1047 Windows Management Instrumentation A Threat Group-3390 tool can use WMI to execute a binary.9

Software

ID Name References Techniques
S0073 ASPXSpy Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.210 Web Shell:Server Software Component
S0160 certutil - Deobfuscate/Decode Files or Information Ingress Tool Transfer Install Root Certificate:Subvert Trust Controls
S0020 China Chopper - Web Protocols:Application Layer Protocol Password Guessing:Brute Force Windows Command Shell:Command and Scripting Interpreter Data from Local System File and Directory Discovery Timestomp:Indicator Removal on Host Ingress Tool Transfer Network Service Discovery Software Packing:Obfuscated Files or Information Web Shell:Server Software Component
S0660 Clambling - Bypass User Account Control:Abuse Elevation Control Mechanism Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data from Local System Deobfuscate/Decode Files or Information Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow Keylogging:Input Capture Modify Registry Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Spearphishing Attachment:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Query Registry Screen Capture System Information Discovery System Network Configuration Discovery System Owner/User Discovery Service Execution:System Services System Time Discovery Malicious File:User Execution Video Capture Time Based Evasion:Virtualization/Sandbox Evasion Bidirectional Communication:Web Service
S0154 Cobalt Strike - Bypass User Account Control:Abuse Elevation Control Mechanism Sudo and Sudo Caching:Abuse Elevation Control Mechanism Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Token Impersonation/Theft:Access Token Manipulation Domain Account:Account Discovery Application Layer Protocol DNS:Application Layer Protocol Web Protocols:Application Layer Protocol BITS Jobs Browser Session Hijacking Python:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Multiband Communication Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Dynamic-link Library Injection:Process Injection Process Hollowing:Process Injection Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Distributed Component Object Model:Remote Services SSH:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0032 gh0st RAT - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Fast Flux DNS:Dynamic Resolution Symmetric Cryptography:Encrypted Channel Encrypted Channel DLL Side-Loading:Hijack Execution Flow Clear Windows Event Logs:Indicator Removal on Host File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Non-Application Layer Protocol Process Discovery Process Injection Query Registry Screen Capture Shared Modules Rundll32:System Binary Proxy Execution System Information Discovery Service Execution:System Services
S0008 gsecdump - LSA Secrets:OS Credential Dumping Security Account Manager:OS Credential Dumping
S0070 HTTPBrowser - Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Commonly Used Port File and Directory Discovery DLL Search Order Hijacking:Hijack Execution Flow DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Match Legitimate Name or Location:Masquerading Obfuscated Files or Information
S0398 HyperBro - Web Protocols:Application Layer Protocol Deobfuscate/Decode Files or Information DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal on Host Ingress Tool Transfer Native API Obfuscated Files or Information Software Packing:Obfuscated Files or Information Process Injection Screen Capture System Service Discovery Service Execution:System Services
S0357 Impacket - LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0100 ipconfig - System Network Configuration Discovery
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0590 NBTscan - Network Service Discovery Network Sniffing Remote System Discovery System Network Configuration Discovery System Owner/User Discovery
S0039 Net - Domain Account:Account Discovery Local Account:Account Discovery Domain Account:Create Account Local Account:Create Account Network Share Connection Removal:Indicator Removal on Host Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0104 netstat - System Network Connections Discovery
S0664 Pandora - Web Protocols:Application Layer Protocol Windows Service:Create or Modify System Process Symmetric Cryptography:Encrypted Channel Exploitation for Privilege Escalation DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Modify Registry Obfuscated Files or Information Process Discovery Process Injection Code Signing Policy Modification:Subvert Trust Controls Service Execution:System Services Traffic Signaling
S0013 PlugX - DNS:Application Layer Protocol Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Search Order Hijacking:Hijack Execution Flow DLL Side-Loading:Hijack Execution Flow Ingress Tool Transfer Keylogging:Input Capture Masquerade Task or Service:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Multiband Communication Native API Network Share Discovery Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Query Registry Screen Capture System Network Connections Discovery MSBuild:Trusted Developer Utilities Proxy Execution System Checks:Virtualization/Sandbox Evasion Dead Drop Resolver:Web Service
S0006 pwdump - Security Account Manager:OS Credential Dumping
S0662 RCSession - Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Encrypted Channel DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Masquerading Modify Registry Native API Non-Application Layer Protocol Obfuscated Files or Information Process Discovery Process Hollowing:Process Injection Screen Capture Msiexec:System Binary Proxy Execution System Information Discovery System Owner/User Discovery
S0096 Systeminfo - System Information Discovery
S0663 SysUpdate - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Service:Create or Modify System Process Deobfuscate/Decode Files or Information File and Directory Discovery Hidden Files and Directories:Hide Artifacts DLL Side-Loading:Hijack Execution Flow File Deletion:Indicator Removal on Host Ingress Tool Transfer Modify Registry Software Packing:Obfuscated Files or Information Obfuscated Files or Information Screen Capture System Information Discovery Service Execution:System Services Windows Management Instrumentation
S0057 Tasklist - Process Discovery Security Software Discovery:Software Discovery System Service Discovery
S0005 Windows Credential Editor - LSASS Memory:OS Credential Dumping
S0412 ZxShell - Create Process with Token:Access Token Manipulation Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Local Account:Create Account Windows Service:Create or Modify System Process Data from Local System Endpoint Denial of Service Exploit Public-Facing Application File and Directory Discovery Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses Clear Windows Event Logs:Indicator Removal on Host File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Modify Registry Native API Network Service Discovery Non-Standard Port Process Discovery Dynamic-link Library Injection:Process Injection Proxy Query Registry VNC:Remote Services Remote Desktop Protocol:Remote Services Screen Capture Rundll32:System Binary Proxy Execution System Information Discovery System Owner/User Discovery System Service Discovery Service Execution:System Services Video Capture

References


  1. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. 

  2. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. 

  3. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. 

  4. Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016. 

  5. Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018. 

  6. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. 

  7. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  8. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  9. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. 

  10. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. 

  11. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. 

  12. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019. 

Back to top