1. Home
  2. Groups
  3. Threat Group-3390

Threat Group-3390

Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims. [1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. [2] [3]

ID: G0027
Associated Groups: TG-3390, Emissary Panda, BRONZE UNION, APT27, Iron Tiger, LuckyMouse
Version: 1.5
Created: 31 May 2017
Last Modified: 12 October 2021

Associated Group Descriptions

Name Description
TG-3390

[1] [4] [5]
Emissary Panda

[6] [4] [3] [5][7]
BRONZE UNION

[2] [4]
APT27

[4] [3] [5]
Iron Tiger

[5]
LuckyMouse

[3] [5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.[4]
Enterprise T1087 .001 Account Discovery: Local Account

Threat Group-3390 has used net user to conduct internal discovery of systems.[2]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Threat Group-3390 malware has used HTTP for C2.[3]
Enterprise T1560 .002 Archive Collected Data: Archive via Library

Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration.[2]
Enterprise T1119 Automated Collection

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

A Threat Group-3390 tool can add the binary’s path to the Registry key Software\Microsoft\Windows\CurrentVersion\Run to add persistence.[4]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Threat Group-3390 has used PowerShell for execution.[2]
.003 Command and Scripting Interpreter: Windows Command Shell

Threat Group-3390 has used command-line interfaces for execution.[2][7]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

A Threat Group-3390 tool can create a new service, naming it after the config information, to gain persistence.[4]
Enterprise T1005 Data from Local System

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.[2]
Enterprise T1074 .001 Data Staged: Local Data Staging

Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.[2]
.002 Data Staged: Remote Data Staging

Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.[2]
Enterprise T1030 Data Transfer Size Limits

Threat Group-3390 actors have split RAR files for exfiltration into parts.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[3]
Enterprise T1189 Drive-by Compromise

Threat Group-3390 has extensively used strategic web compromises to target victims.[1][3]
Enterprise T1203 Exploitation for Client Execution

Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604.[7]
Enterprise T1068 Exploitation for Privilege Escalation

Threat Group-3390 has used CVE-2014-6324 to escalate privileges.[2]
Enterprise T1210 Exploitation of Remote Services

Threat Group-3390 has exploited MS17-010 to move laterally to other systems on the network.[7]

Enterprise T1133 External Remote Services

Threat Group-3390 actors look for and use VPN profiles during an operation to access the network using external VPN services.[1] Threat Group-3390 has also obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network.[2]
Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Threat Group-3390 has performed DLL search order hijacking to execute their payload.[4]
.002 Hijack Execution Flow: DLL Side-Loading

Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code.[1][2][3][7]
Enterprise T1562 .002 Impair Defenses: Disable Windows Event Logging

Threat Group-3390 has used appcmd.exe to disable logging on a victim server.[2]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim.[2]
.005 Indicator Removal on Host: Network Share Connection Removal

Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection.[2]
Enterprise T1105 Ingress Tool Transfer

After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.[1]
Enterprise T1056 .001 Input Capture: Keylogging

Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.[1][5][3]
Enterprise T1112 Modify Registry

A Threat Group-3390 tool can create a new Registry key under HKEY_CURRENT_USER\Software\Classes\.[4]
Enterprise T1046 Network Service Scanning

Threat Group-3390 actors use the Hunter tool to conduct network service discovery for vulnerable systems.[1][7]
Enterprise T1027 Obfuscated Files or Information

A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[4][3][7]
Enterprise T1588 .002 Obtain Capabilities: Tool

Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor.[7] [1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.[1][2]
.002 OS Credential Dumping: Security Account Manager

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.[1][2]
.004 OS Credential Dumping: LSA Secrets

Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.[1][2]
Enterprise T1055 .012 Process Injection: Process Hollowing

A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process.[4][3]
Enterprise T1012 Query Registry

A Threat Group-3390 tool can read and decrypt stored Registry values.[4]
Enterprise T1021 .006 Remote Services: Windows Remote Management

Threat Group-3390 has used WinRM to enable remote execution.[2]
Enterprise T1018 Remote System Discovery

Threat Group-3390 has used the net view command.[4]
Enterprise T1053 .002 Scheduled Task/Job: At (Windows)

Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives, which install HTTPBrowser or PlugX on other victims on a network.[1]
Enterprise T1505 .003 Server Software Component: Web Shell

Threat Group-3390 has used a variety of Web shells.[7]
Enterprise T1608 .002 Stage Capabilities: Upload Tool

Threat Group-3390 has staged tools, including gsecdump and WCE, on previously compromised websites.[1]
.004 Stage Capabilities: Drive-by Target

Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest.[6]
Enterprise T1016 System Network Configuration Discovery

Threat Group-3390 actors use NBTscan to discover vulnerable systems.[1]
Enterprise T1049 System Network Connections Discovery

Threat Group-3390 has used net use to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim.[2]
Enterprise T1078 Valid Accounts

Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks.[1]
Enterprise T1047 Windows Management Instrumentation

A Threat Group-3390 tool can use WMI to execute a binary.[4]

Software

ID Name References Techniques
S0073 ASPXSpy Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.[1] Server Software Component: Web Shell
S0020 China Chopper [1][2][4][7] Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter: Windows Command Shell, Data from Local System, File and Directory Discovery, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information: Software Packing, Server Software Component: Web Shell
S0032 gh0st RAT [8] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Dynamic Resolution: Fast Flux DNS, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Non-Application Layer Protocol, Process Discovery, Process Injection, Query Registry, Screen Capture, Shared Modules, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Services: Service Execution
S0008 gsecdump [1] OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets
S0070 HTTPBrowser [1][2][4] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, File and Directory Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information
S0398 HyperBro [7][3][5] Application Layer Protocol: Web Protocols, Hijack Execution Flow: DLL Side-Loading, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Native API, Process Injection, Screen Capture, System Service Discovery, System Services: Service Execution
S0357 Impacket [7] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0100 ipconfig [2] System Network Configuration Discovery
S0002 Mimikatz Threat Group-3390 has used a modified version of Mimikatz called Wrapikatz.[2][4] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0590 NBTscan [1] Network Service Scanning, Network Sniffing, Remote System Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0039 Net [2] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0072 OwaAuth [1][2] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Custom Method, File and Directory Discovery, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Server Software Component: IIS Components, Server Software Component: Web Shell
S0013 PlugX [1][2][4] Application Layer Protocol: Web Protocols, Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create or Modify System Process: Windows Service, Deobfuscate/Decode Files or Information, File and Directory Discovery, Hijack Execution Flow: DLL Side-Loading, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Masquerade Task or Service, Modify Registry, Multiband Communication, Native API, Network Share Discovery, Non-Application Layer Protocol, Process Discovery, Query Registry, Screen Capture, System Network Connections Discovery, Trusted Developer Utilities Proxy Execution: MSBuild, Virtualization/Sandbox Evasion: System Checks, Web Service: Dead Drop Resolver
S0006 pwdump [7] OS Credential Dumping: Security Account Manager
S0005 Windows Credential Editor [1] OS Credential Dumping: LSASS Memory
S0412 ZxShell [8] Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Create or Modify System Process: Windows Service, Endpoint Denial of Service, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Disable or Modify System Firewall, Indicator Removal on Host: File Deletion, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Input Capture: Credential API Hooking, Network Service Scanning, Process Discovery, Process Injection: Dynamic-link Library Injection, Proxy, Query Registry, Remote Services: Remote Desktop Protocol, Remote Services: VNC, Screen Capture, Signed Binary Proxy Execution: Rundll32, System Information Discovery, System Owner/User Discovery, System Service Discovery, Video Capture

References

  1. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  2. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  3. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  4. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  1. Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.
  2. Gallagher, S.. (2015, August 5). Newly discovered Chinese hacking group hacked 100+ websites to use as “watering holes”. Retrieved January 25, 2016.
  3. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  4. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019.