Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group DragonOK. ^[1]

ID: G0002

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1027	.001	Obfuscated Files or Information: Binary Padding	Moafee has been known to employ binary padding.^[1]

Software

ID	Name	References	Techniques
S0012	PoisonIvy	^[1]	Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Active Setup, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, Process Injection: Dynamic-link Library Injection, Rootkit

References

Haq, T., Moran, N., Scott, M., & Vashisht, S. O. (2014, September 10). The Path to Mass-Producing Cyber Attacks [Blog]. Retrieved November 12, 2014.

Moafee

Enterprise Layer

Techniques Used

Software

References