Skip to content

G0054 Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. 1

Item Value
ID G0054
Associated Names
Version 1.1
Created 16 January 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Sowbug extracted documents and bundled them into a RAR archive.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Sowbug has used command line during its intrusions.1
enterprise T1039 Data from Network Shared Drive Sowbug extracted Word documents from a file server on a victim network.1
enterprise T1083 File and Directory Discovery Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Sowbug has used keylogging tools.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.1
enterprise T1135 Network Share Discovery Sowbug listed remote shared drives that were accessible from a victim.1
enterprise T1003 OS Credential Dumping Sowbug has used credential dumping tools.1
enterprise T1082 System Information Discovery Sowbug obtained OS version and hardware configuration from a victim.1

Software

ID Name References Techniques
S0171 Felismus 1 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Symmetric Cryptography:Encrypted Channel Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Owner/User Discovery
S0188 Starloader 1 Deobfuscate/Decode Files or Information Match Legitimate Name or Location:Masquerading

References