Suckfly

Suckfly is a China-based threat group that has been active since at least 2014. [1]

ID: G0039
Version: 1.1
Created: 31 May 2017
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Several tools used by Suckfly have been command-line driven.[2]

Enterprise T1046 Network Service Scanning

Suckfly the victim's internal network for hosts with ports 8080, 5900, and 40 open.[2]

Enterprise T1003 OS Credential Dumping

Suckfly used a signed credential-dumping tool to obtain victim account credentials.[2]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Suckfly has used stolen certificates to sign its malware.[1]

Enterprise T1078 Valid Accounts

Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner.[2]

Software

ID Name References Techniques
S0118 Nidiran [1][2] Commonly Used Port, Create or Modify System Process: Windows Service, Ingress Tool Transfer, Masquerading: Masquerade Task or Service

References