G0039 Suckfly
Suckfly is a China-based threat group that has been active since at least 2014. 1
| Item | Value |
|---|---|
| ID | G0039 |
| Associated Names | |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 15 April 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Several tools used by Suckfly have been command-line driven.2 |
| enterprise | T1046 | Network Service Discovery | Suckfly the victim’s internal network for hosts with ports 8080, 5900, and 40 open.2 |
| enterprise | T1003 | OS Credential Dumping | Suckfly used a signed credential-dumping tool to obtain victim account credentials.2 |
| enterprise | T1553 | Subvert Trust Controls | - |
| enterprise | T1553.002 | Code Signing | Suckfly has used stolen certificates to sign its malware.1 |
| enterprise | T1078 | Valid Accounts | Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.2 |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0118 | Nidiran | 12 | Windows Service:Create or Modify System Process Ingress Tool Transfer Masquerade Task or Service:Masquerading |