G0103 Mofang
Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim’s infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.1
| Item | Value |
|---|---|
| ID | G0103 |
| Associated Names | |
| Version | 1.0 |
| Created | 12 May 2020 |
| Last Modified | 29 May 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1027 | Obfuscated Files or Information | Mofang has compressed the ShimRat executable within malicious email attachments. Mofang has also encrypted payloads before they are downloaded to victims.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Mofang delivered spearphishing emails with malicious documents, PDFs, or Excel files attached.1 |
| enterprise | T1566.002 | Spearphishing Link | Mofang delivered spearphishing emails with malicious links included.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Mofang‘s spearphishing emails required a user to click the link to connect to a compromised website.1 |
| enterprise | T1204.002 | Malicious File | Mofang‘s malicious spearphishing attachments required a user to open the file after receiving.1 |