G0054 Sowbug
Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. 1
| Item | Value |
|---|---|
| ID | G0054 |
| Associated Names | |
| Version | 1.1 |
| Created | 16 January 2018 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | Sowbug extracted documents and bundled them into a RAR archive.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Sowbug has used command line during its intrusions.1 |
| enterprise | T1039 | Data from Network Shared Drive | Sowbug extracted Word documents from a file server on a victim network.1 |
| enterprise | T1083 | File and Directory Discovery | Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Sowbug has used keylogging tools.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.1 |
| enterprise | T1135 | Network Share Discovery | Sowbug listed remote shared drives that were accessible from a victim.1 |
| enterprise | T1003 | OS Credential Dumping | Sowbug has used credential dumping tools.1 |
| enterprise | T1082 | System Information Discovery | Sowbug obtained OS version and hardware configuration from a victim.1 |