Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]

ID: G0054
Contributors: Alan Neville, @abnev
Version: 1.1
Created: 16 January 2018
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Sowbug extracted documents and bundled them into a RAR archive.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Sowbug has used command line during its intrusions.[1]

Enterprise T1039 Data from Network Shared Drive

Sowbug extracted Word documents from a file server on a victim network.[1]

Enterprise T1083 File and Directory Discovery

Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Sowbug has used keylogging tools.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\microsoft\security.[1]

Enterprise T1135 Network Share Discovery

Sowbug listed remote shared drives that were accessible from a victim.[1]

Enterprise T1003 OS Credential Dumping

Sowbug has used credential dumping tools.[1]

Enterprise T1082 System Information Discovery

Sowbug obtained OS version and hardware configuration from a victim.[1]

Software

ID Name References Techniques
S0171 Felismus [1] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Encrypted Channel: Symmetric Cryptography, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0188 Starloader [1] Deobfuscate/Decode Files or Information, Masquerading: Match Legitimate Name or Location

References